Why Is Escaping Data Considered So Magical?
Cameron Simpson
cs at zip.com.au
Fri Jun 25 02:11:04 EDT 2010
On 25Jun2010 15:54, I wrote:
| The number of times I've had to
| fix/remove insert-values-into-SQL-text code ...
My point here is that with insert-escaped-values-into-sql-text,
you only need to forget to do it once (or do it wrong).
By using a parameterised form like that required by SQLalchemy
the library does it and never forgets.
I would also point out that if you use a library to _construct_ the SQL
statements themselves eg via SQLA's .select() methods etc then you will never
introduce a syntax error into the SQL either. I expect I could construct SQL
syntax errors that cause havoc when inserted with correctly escaped parameter
values if I tried, probably using quotes in the SQL typo part.
Cheers,
--
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/
George, discussing a patent and prior art:
"Look, this publication has a date, the patent has a priority date,
can't you just compare them?"
Paul Sutcliffe:
"Not unless you're a lawyer."
More information about the Python-list
mailing list