QuoteSQL

Steve Holden steve at holdenweb.com
Tue Sep 26 09:15:45 EDT 2006


Lawrence D'Oliveiro wrote:
> In message <mailman.637.1159253927.10491.python-list at python.org>, Steve
> Holden wrote:
> 
> 
>>Lawrence D'Oliveiro wrote:
>>
>>>In message <mailman.560.1159188345.10491.python-list at python.org>, Steve
>>>Holden wrote:
>>>
>>>
>>>
>>>>When you use the DB API correctly and paramterise your queries you still
>>>>need to quote wildcards in search arguments, but you absolutely
>>>>shouldn't quote the other SQL specials.
>>>>
>>>>That's what parameterised queries are for on the first place...
>>>
>>>
>>>So you're suggesting I quote the wildcards, then rely on autoquoted
>>>parameters to handle the rest? Unfortunately, that's stupid mistake
>>>number 2.
>>
>>Ah, so your quoting function will deduce the context in which arguments
>>intended for parameter substitution in the query will be used? Or are
>>you suggesting that it's unwise to rely on autoquoted parameters?
> 
> 
> No, I'm saying it's _incorrect_ to use the existing autoquoting mechanism in
> combination with a separate function that escapes the wildcards. I
> previously described the two stupid mistakes that can arise from having a
> separate function for doing just the wildcard quoting: this is the second
> one.
> 
Sadly your assertions alone fail to convince. Perhaps you could provide 
a concrete example?
> 
>>That could have a serious impact on the efficiency of some repeated
>>queries. 
> 
> 
> Correctness comes before efficiency. It's no point doing it quickly if
> you're doing it wrong.

Indeed not. But there's no point being right if you can't explain why.

regards
  Steve
-- 
Steve Holden       +44 150 684 7255  +1 800 494 3119
Holden Web LLC/Ltd          http://www.holdenweb.com
Skype: holdenweb       http://holdenweb.blogspot.com
Recent Ramblings     http://del.icio.us/steve.holden




More information about the Python-list mailing list