Lie Hetland book: Beginning Python..

[Vittorio]

Magnus Lycka <lycka at carmen.se> wrote in news:dkqdf9$17g$1 at wake.carmen.se:

Thank you for your message I found really illuminating.
 
> Using the same symbol for both string substitutions and SQL placeholder
> such as pysqlite 1 and the MySQL interface does, is not really a bright
> idea in my opinion. Who thinks this is pretty?
> 
> sql = "SELECT %s FROM %s WHERE %s = %%s"
> cur.execute(sql % (col,table,search_col), (param,))
> 
> I think it's less confusing with:
> 
> sql = "SELECT %s FROM %s WHERE %s = ?"
> cur.execute(sql % (col,table,search_col), (param,))

I had never thought about it, I really agree.

 
> Of course, the "proper" way, with %s-substitution for e.g. table
> names and ? for parameters is also open for SQL injection attacks
> if the values in the strings col, table and search_col above are
> user input, but since they are plain SQL identifiers, they are much
> easier to check than arbitrary search values. You'd probably have
> a set of allowed values, and check that the input was in that
> set. They are also less likely to come from an untrusted source.

undoubtedly.

> As you can see in
> http://initd.org/tracker/pysqlite/wiki/PysqliteVersions
> you can use pysqlite 1.1 if you want to use the old pysqlite 1
> API.
> 
> Pysqlite2 is documented here:
> http://initd.org/pub/software/pysqlite/doc/usage-guide.html

yes I had already found the docs and noticed there was no explanation 
about such a remarkable difference from pysqlite1 and pysqlite2. 

After your message, I find even more strange that Magnus' book reported 
pysqlite1 examples as Sqlite 3 was a great step forward in my opinion.
But this can not prevent me from saying that it is the best Python book 
around in the beginner to intermediate range.