[DB-SIG] In praise of pyformat
Carsten Haese
carsten at uniqsys.com
Wed Aug 15 04:07:34 CEST 2007
On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote:
> > How often does an identifier come from an untrusted source?
>
> Um, how about in every web-based app that has a real search facility?
> One that lets the user specify which column(s) they want to check, or
> that can search multiple tables?
Even if you take an identifier directly from an untrusted source, nobody
is forcing you to stick it into a query unchecked.
Anyway, I don't doubt that you often need to put unchecked identifiers
from an untrusted source into queries, but I think you're in a very
small minority compared to the general population of database
application developers. I don't think that the DB-API spec should be
weighed down by requiring a feature of such little general use, but
you're welcome to write a reusable toolkit module that lives outside of
and on top of DB-API. Of course you'll need to code some per-database
logic that defines whether the database accepts delimited identifiers
and what the delimiter is, but you only need to do this once for every
database you plan on supporting.
Keep in mind that this is just my opinion, and I don't speak for the
entire DB-SIG community. It's your right to post a proposal and ask for
a vote.
--
Carsten Haese
http://informixdb.sourceforge.net
More information about the DB-SIG
mailing list