[DB-SIG] paramstyles (mysql string length?)
Carsten Haese
carsten at uniqsys.com
Wed Apr 19 18:13:44 CEST 2006
On Wed, 2006-04-19 at 11:38, Gerhard Häring wrote:
> Abolishing (py)format certainly means additional work for the module
> authors. If we do so - I haven't read the whole thread, so I don't know
> what the arguments are for it - then we should include example code in
> the DB-API for parsing qmarks out of ANSI SQL statements.
The main argument for abolishing (py)format is that it blurs the line
between parameter passing, which is good, and hand-rolling a query via
string substitution, which is bad because it invites SQL injections if
not done carefully, and it's almost never done carefully.
Especially newbies seem to have a problem with telling the two apart and
understanding why parameter binding is better than string substitution.
Abolishing %s should make it a lot easier to clearly separate the two
concepts.
Ian also brought up the point that implementations that use (py)format
have a rather ugly wart: Literal % signs in queries have to be doubled
up to prevent accidental parameter markers. This is ugly and makes
writing portable code unnecessarily hard.
I agree that if we decide to abolish (py)format, we should help out
module authors for databases that don't natively support '?' by
providing example code for performing the necessary parsing.
-Carsten
More information about the DB-SIG
mailing list