[DB-SIG] DCOracle2 selecting with "in" expression

Neil Hodgson nhodgson at eb2.net.au
Wed Apr 16 17:33:15 EDT 2003


    We have code that uses DCOracle2 to select records where a column 
value is a member of a set like:

select * from psptx where flag in ('A','D','M')

    which is currently constructed by code similar to

"select * from psptx where flag in (%s)" %
	",".join(listQuoted)

    It would be better to avoid building SQL queries up at runtime for 
the normal reasons including the possibility of unchecked input causing 
security vulnerabilities, so positional or named parameters should be 
used instead.

     Code like

flagList = ('A','D','M')
"select * from psptx where flag in :1", (flagList,)
# or
"select * from psptx where flag in (:a)", a=flagList

    doesn't work. Nor does creating a binding array and passing that as 
the argument.

    Does anyone have some working example code that does this?

    Neil




More information about the DB-SIG mailing list