[DB-SIG] inserting strings into postgres db using pgdb (escaping
quotes automagically)
Nathan Clegg
nathan-pydb at geerbox.com
Wed Jun 18 10:42:40 EDT 2003
Can't pgdb also use 'format' paramstyle? It is no less safe. The
only advantage is being able to ignore order and is convenient for
repeating the same param multiple times in the statement, which is
unnecessary in this example. My code is no more likely to fail in
interesting and spectacular ways than yours, as I am not doing any
quoting or parsing myself.
Andy Todd wrote:
> The column names and values are put into a dictionary because pgdb uses
> the 'pyformat' paramstyle. The general form of which is;
>
> >>> cursor.execute("SELECT column_a FROM table_a WHERE
> column_b=%(param_a)s", {'param_a':'some value'})
>
> This ensures that values are appropriately quoted and parsed by the
> database module and not by you. This means that funny (or just
> unexpected) characters don't cause your query to fail in interesting and
> spectacular ways.
--
Nathan Clegg
GeerBox
More information about the DB-SIG
mailing list