[DB-SIG] inserting strings into postgres db using pgdb
(escaping quotes automagically)
Marcos Sánchez Provencio
msanchez at grupoburke.com
Wed Jun 18 22:02:57 EDT 2003
This has been discussed before and recently
http://mail.python.org/pipermail/db-sig/2001-April/001719.html
http://aspn.activestate.com/ASPN/Mail/Message/1538118
El mié, 18 de 06 de 2003 a las 18:42, Nathan Clegg escribió:
> Can't pgdb also use 'format' paramstyle? It is no less safe. The
> only advantage is being able to ignore order and is convenient for
> repeating the same param multiple times in the statement, which is
> unnecessary in this example. My code is no more likely to fail in
> interesting and spectacular ways than yours, as I am not doing any
> quoting or parsing myself.
>
>
> Andy Todd wrote:
> > The column names and values are put into a dictionary because pgdb uses
> > the 'pyformat' paramstyle. The general form of which is;
> >
> > >>> cursor.execute("SELECT column_a FROM table_a WHERE
> > column_b=%(param_a)s", {'param_a':'some value'})
> >
> > This ensures that values are appropriately quoted and parsed by the
> > database module and not by you. This means that funny (or just
> > unexpected) characters don't cause your query to fail in interesting and
> > spectacular ways.
--
Marcos Sánchez Provencio <msanchez at grupoburke.com>
www.burke.es
More information about the DB-SIG
mailing list