Why Is Escaping Data Considered So Magical?
John Nagle
nagle at animats.com
Fri Jun 25 14:58:51 EDT 2010
On 6/25/2010 12:09 AM, Paul Rubin wrote:
> Nobody<nobody at nowhere.com> writes:
>> More generally, as a program gets more complex, "this will work so long as
>> we do X every time without fail" approaches "this won't work".
Yes. I was just looking at some of my own code. Out of about 100
SQL statements, I'd used manual escaping once, in code where the WHERE
clause is built up depending on what information is available for the
search. It's done properly, using "MySQLdb.escape_string(s)", which
is what's used inside "cursor.execute". Looking at the code, I
now realize that it would have been better to
add sections to the SQL string with standard escapes, and at the same
time, append the key items to a list. Then the list can be
converted to a tuple for submission to "cursor.execute".
John Nagle
More information about the Python-list
mailing list