String substitution VS proper mysql escaping
MRAB
python at mrabarnett.plus.com
Sat Aug 28 15:35:08 EDT 2010
On 28/08/2010 20:10, Νίκος wrote:
> On 20 Αύγ, 09:04, Nik Gr<nikos.the.gr... at gmail.com> wrote:
>> With regard to the "%" operator, it considers the string on the left to
>> be a format string with multiple %blah things in it to replace. The
>> thing on the right is a sequence of items to place into the format
>> string.
>
> Can you please clarify what you mean by that?
>
Basically:
format_string % (item_1, item_2, item_3)
>> In you usage above you're supplying "page" instead of "(page,)".
>> The latter matches the .execute() method's requirements.
>
> I tried it and "page" as a string and not a as a single element tuple
> works ok.
Although the .execute() method might accept a single string:
cursor.execute(sql_query, page)
as well as a tuple containing the string:
cursor.execute(sql_query, (page, ))
try to be consistent. As I said before:
"""When there's more than one value you provide a tuple. It's makes sense
from the point of view of consistency that you also provide a tuple when
there's only one value."""
More information about the Python-list
mailing list