QuoteSQL

Lawrence D'Oliveiro ldo at geek-central.gen.new_zealand
Tue Sep 26 12:45:58 CEST 2006


In message <Xns984A6E99A1A73duncanbooth at 127.0.0.1>, Duncan Booth wrote:

> However, your QuoteSQL messes up every time because it wraps double
> quotes round the whole string, so it isn't suitable for use with
> parameterised queries at all. If you care to modify it to work in that
> situation I think you'll find that the only characters you need to quote
> are \, % and _.

That won't work--that puts you into stupid mistake number 2.

I think autoquoting is fine as far as it goes. But it cannot cope with
wildcards, since it can't tell whether the string is being used in a LIKE
clause without doing its own parsing of the MySQL query. And there are
situations where you cannot rely on it, as in the QuoteSQLList example I
gave earlier. This is why my QuoteSQL function cannot be designed to work
together with autoquoting, but has to be used as a complete replacement for
it.

> In particular it currently turns newlines in backslash followed by n which
> (since MySQL ignores the extra backslash escape) is equivalent to turning
> newlines into the character n.

But \n is valid MySQL syntax for a newline.



More information about the Python-list mailing list