String substitution VS proper mysql escaping
Νίκος
nikos.the.gr33k at gmail.com
Sun Aug 29 21:38:42 EDT 2010
On 29 Αύγ, 21:34, MRAB <pyt... at mrabarnett.plus.com> wrote:
> It likes the values to be in a tuple. If there's one value, that's a
> 1-tuple: (page, ).
I noticed that if we are dealing with just a single value 'page' will
do, no need to tuple for 1-value.
it handles fine as a string.
> >> cursor.execute('''SELECT hits FROM counters WHERE page = %s and
> >> date = %s and host = %s''', page, date, host)
>
> > or python will not allow it cause it might think there are 4 args
> > isntead of two?
>
> Not Python (the language) as such, but the method. As I said, it
> expects the value(s) to be in a tuple.
If i dont parenthesize the execute method instead of getting 2
args(sql_query and tuple value) as it expects by deficition, it gets 4
args instead and thats why it fails? I need to know why ti fails. Is
that it?
Also in here,
page, date, host is 3 separate variable values here
while
(page, date, host) is 3 separate variables values also but withing a
tuple. Is this correct?
> >> cursor.execute(''' SELECT hits FROM counters WHERE page = '%s' and
> >> date = '%s' and host = '%s' ''', (page, date, host))
>
> > Whats happens if i attempt to also quote by single or double quoting
> > the above although now i'm aware that .execute method does the quoting
> > for me?
>
> The method will put in any quoting that's needed. If you also put in
> quotes then that'll result in 2 sets of quoting, one inside the other
> (or something like that).
>
> Why make more work for yourself? Let the method do it for you, safely
> and correctly!
I'am askign this because i'm tryong to see why
On 29 Αύγ, 21:34, MRAB <pyt... at mrabarnett.plus.com> wrote:
> It likes the values to be in a tuple. If there's one value, that's a
> 1-tuple: (page, ).
I noticed that if we are dealing with just a single value 'page' will
do, no need to tuple for 1-value.
it handles fine as a string.
> >> cursor.execute('''SELECT hits FROM counters WHERE page = %s and
> >> date = %s and host = %s''', page, date, host)
>
> > or python will not allow it cause it might think there are 4 args
> > isntead of two?
>
> Not Python (the language) as such, but the method. As I said, it
> expects the value(s) to be in a tuple.
If i dont parenthesize the execute method instead of getting 2
args(sql_query and tuple value) as it expects by deficition, it gets 4
args instead and thats why it fails? I need to know why ti fails. Is
that it?
========================
Also in here,
page, date, host is 3 separate variable values here
while
(page, date, host) is 3 separate variables values also but withing a
tuple. Is this correct?
=========================
I'm asking this to see why
cursor.execute(''' SELECT hits FROM counters WHERE page = '%s' and
date = '%s' and host = '%s' ''' % (page, date, host) )
does work, while same thign qithout the quotes
cursor.execute(''' SELECT hits FROM counters WHERE page = %s and date
= %s and host = %s ''' % (page, date, host) )
doesn't. Dont know why but quotes somehopw confuse me both in strings
and sql_queries as well when it comes to substitutions.
More information about the Python-list
mailing list