kent37 at tds.net
Fri Mar 18 18:09:47 CET 2005
wes weston wrote:
> Dennis Lee Bieber wrote:
>> Try neither, the recommended method is to let the execute() do
>> the formatting... That way /it/ can apply the needed quoting of
>> arguments based upon the type of the data.
>> cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))
> Do you know if this has some efficiency advantage
> or is it just an agreed upon custom.
It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.
More information about the Python-list