escape single and double quotes

Michael Pelz Sherman mpelzsherman at yahoo.com
Wed Oct 24 16:37:56 CEST 2007


Thanks Gabriel. You are correct - this is even documented in the MySQLdb User's Guide (http://mysql-python.sourceforge.net/MySQLdb.html), but it's certainly not intuitive, given how python string interpolation normally works.

Gabriel Genellina <gagsl-py2 at yahoo.com.ar> wrote: En Tue, 23 Oct 2007 20:50:55 -0300, Michael Pelz Sherman  
 escribió:

> Leif B. Kristensen wrote:
>
>>>>  SQL = 'INSERT into TEMP data = %s'
>>>>  c.execute(SQL, """ text containing ' and ` and all other stuff we
>>> .  might
>>> .   read from the network""")
>>
>>> Sure, but does this work if you need more than one placeholder?
>
>> Yes it works with more than one placeholder.
>
> Yes, BUT: I have found that all of the placeholders must be STRINGS!
>
> If I try to use other data types (%d, %f, etc.), I get an error:
>
> File "/usr/lib/python2.5/site-packages/MySQLdb/cursors.py", line 149, in  
> execute
>     query = query % db.literal(args)
> TypeError: float argument required
>
> It's not a huge problem to convert my non-string args, but it
> seems like this should be fixed if it's a bug, no?

No. The *MARK* is always %s - but the data may be any type (suitable for  
the database column, of course).
The only purpose of %s is to say "insert parameter here". Other adapters  
use a question mark ? as a parameter placeholder, a lot less confusing, as  
it does not look like string interpolation.

-- 
Gabriel Genellina

-- 
http://mail.python.org/mailman/listinfo/python-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20071024/95000c3c/attachment.html>


More information about the Python-list mailing list