[DB-SIG] paramstyles (mysql string length?)
carsten at uniqsys.com
Wed Apr 19 18:13:44 CEST 2006
On Wed, 2006-04-19 at 11:38, Gerhard Häring wrote:
> Abolishing (py)format certainly means additional work for the module
> authors. If we do so - I haven't read the whole thread, so I don't know
> what the arguments are for it - then we should include example code in
> the DB-API for parsing qmarks out of ANSI SQL statements.
The main argument for abolishing (py)format is that it blurs the line
between parameter passing, which is good, and hand-rolling a query via
string substitution, which is bad because it invites SQL injections if
not done carefully, and it's almost never done carefully.
Especially newbies seem to have a problem with telling the two apart and
understanding why parameter binding is better than string substitution.
Abolishing %s should make it a lot easier to clearly separate the two
Ian also brought up the point that implementations that use (py)format
have a rather ugly wart: Literal % signs in queries have to be doubled
up to prevent accidental parameter markers. This is ugly and makes
writing portable code unnecessarily hard.
I agree that if we decide to abolish (py)format, we should help out
module authors for databases that don't natively support '?' by
providing example code for performing the necessary parsing.
More information about the DB-SIG