Re: Rép : Why is str(None) == 'None' and not an empty string?
fp2161 at gmail.com
fp2161 at gmail.com
Thu Aug 29 16:09:19 EDT 2013
On Thursday, August 29, 2013 12:55:36 PM UTC+2, Ian wrote:
> On Wed, Aug 28, 2013 at 5:42 AM, Fabrice POMBET <fp2161 at gmail.com> wrote:
>
> >
>
> > On 8/28/2013 4:57 AM, Piotr Dobrogost wrote:
>
> >
>
> >> Having repr(None) == 'None' is sure the right thing but why does str(None) == 'None'? Wouldn't it be more correct if it was an empty string?
>
> >
>
> > the point of str(obj) is to return a string containing the obj (a sequence of characters if it is unbound or not built-in, etc.)...
>
> >
>
> > If you set the rule str(None)=="", then you will cause plenty of problems.
>
> >
>
> > For instance, if you want to build a string like request="SELECT X"+"IN Y"+"WHERE B="+String(B)
>
> > to prepare a sequel request, and the field B happens to be sometimes "None", you would automatically end up with """SELECT X IN Y WHERE B=''""" instead of """SELECT X IN Y WHERE B='None'""",
>
> > and your sql request will fall into limbos...
>
>
>
> The proper way to pass values into a SQL query is by using bind
>
> parameters. Inserting them into the query string by concatenation is
>
> error-prone and an excellent way to write code that is vulnerable to
>
> SQL injection attacks.
>
>
>
> The DB API guarantees that the object None will map to the database
>
> value NULL when passed directly as a parameter. The value returned by
>
> str(None) is irrelevant in this context.
I could not agree more with you. The purpose of my post, however, was only to give a simple illustration of how such a generic change would make everything awkward, not to give any proper, precise or general directions on how to code a safe SQL request for a DB when you are online. Thank you however for your corrections.
More information about the Python-list
mailing list