Sqlite3. Substitution of names in query.
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Sun Nov 1 01:08:00 EST 2009
In message <mailman.2397.1257034364.2807.python-list at python.org>, Carsten
Haese wrote:
> Lawrence D'Oliveiro wrote:
>
>> In message <mailman.2376.1257005738.2807.python-list at python.org>, Carsten
>> Haese wrote:
>>
>>> Lawrence D'Oliveiro wrote:
>>>
>>>> In message <mailman.2357.1256964121.2807.python-list at python.org>,
>>>> Dennis Lee Bieber wrote:
>>>>
>>>>> This way regular string interpolation operations (or whatever Python
>>>>> 3.x has replaced it with) are safe to construct the SQL, leaving only
>>>>> user supplied (or program generated) data values to be passed via the
>>>>> DB-API parameter system -- so that they are properly escaped and
>>>>> rendered safe.
>>>>
>>>> Mixing the two is another recipe for confusion and mistakes.
>>>
>>> Mixing the two is necessary.
>>> ...
>>> As long as you understand what you're doing, there should be no
>>> confusion. (And if you don't understand what you're doing, you shouldn't
>>> be doing it!)
>>
>> But if you understand what you're doing, you don't need to mix the two.
>
> On what grounds are you asserting that it's not necessary to mix the
> two? Please elaborate your point.
On the grounds that Python has more general and powerful string parameter-
substitution mechanisms than anything built into any database API.
More information about the Python-list
mailing list