sql escaping module

Fredrik Lundh fredrik at pythonware.com
Thu Dec 8 11:20:32 CET 2005

Frank Millman wrote:

> Each of the API's includes the capability of passing commands in the
> form of 'string + parameters' directly into the database. This means
> that the data values are never embedded into the SQL command at all,
> and therefore there is no possibility of injection attacks.

another advantage with parameters is that if you do multiple operations which
differ only in parameters, the database may skip the SQL compilation and query
optimization passes.

> The various API's use different syntaxes for passing the parameters. It
> would have been nice if the DB-API had specified one method, and left
> it to the author of each module to transform this into the form
> required by the underlying API. Unfortunately the DB-API allows a
> choice of 'paramstyles'. There may be technical reasons for this, but
> it does make supporting multiple databases awkward.


on the other hand, it shouldn't be that hard to create a function does this mapping
on the fly, so that drivers can be updated support any paramstyle...  time for a DB
API 3.0 specification, perhaps ?

(I'd also like to see a better granularity; the current connection/cursor model is a
bit limited; a connection/cursor/query/result set model would be nicer, but I guess
ODBC gets in the way here...)


More information about the Python-list mailing list