Manual parameter substitution in sqlite3
Christian Gollwitzer
auriocus at gmx.de
Thu Mar 2 03:55:54 EST 2017
Am 28.02.17 um 18:28 schrieb Skip Montanaro:
> Most of the time (well, all the time if you're smart), you let the
> database adapter do parameter substitution for you to avoid SQL
> injection attacks (or stupid users). So:
>
> curs.execute("select * from mumble where key = ?", (key,))
>
> If you want to select from several possible keys, it would be nice to
> be able to do this:
>
> curs.execute("select * from mumble where key in (?)", (keys,))
>
> but that doesn't work.
Instead of building the query on the fly (with quoting hell etc.), you
could do it "the (theoretical) right way", which is using another table.
Insert your keys into a table, maybe temporary one, and then do
select * from mumble where key in (select key from keytable)
In theory that should also be faster, but unless you have a thousand
keys, there will be no noticeable difference.
Christian
More information about the Python-list
mailing list