[ANN] istring 1.0.1 released; announce list created
Bjorn Pettersen
BPettersen at NAREX.com
Wed Mar 13 17:51:43 EST 2002
> From: Bengt Richter [mailto:bokr at oz.net]
>
> On Wed, 13 Mar 2002 21:30:47 +0300, Oleg Broytmann
> <phd at phd.pp.ru> wrote:
>
> >On Wed, Mar 13, 2002 at 08:15:39PM +0100, Andreas Kostyrka wrote:
> >> And what about:
> >> db.query("""SELECT foo, bar
> >> FROM %(table)s
> >> WHERE rsrc_id = %(rsrc_id)d
> >> AND name = '%(name)s'""" % locals())
> >>
> >> pure standard Python :)
> >
> > This will fail if name = "O'Hara". Or name = 'Tutti"""Frutti'.
> >
> Ok, then how about:
> ---
> >>> table = 'theTable'
> >>> rsrc_id = 1234567
> >>> class QEsc:
> ... def __init__(self,s): self.sesc =
> "\\'".join('\\"'.join(s.split('"')).split> ("'"))
> ... def
> __str__(self): return self.sesc
> ...
>
> >>> for badname in ["O'Hara", 'Tutti"""Frutti']:
> ... name = QEsc(badname)
> ... print """SELECT foo, bar
> ... FROM %(table)s
> ... WHERE rsrc_id = %(rsrc_id)d
> ... AND name = '%(name)s'""" % locals()
> ...
> SELECT foo, bar
> FROM theTable
> WHERE rsrc_id = 1234567
> AND name = 'O\'Hara'
Except that's not how SQL is quoted (It should have been 'O''Hara').
Besides, anyone not using bound variables must be crazy <wink>
-- bjorn
More information about the Python-list
mailing list