escape single and double quotes

Michael Pelz Sherman mpelzsherman at yahoo.com
Wed Oct 24 01:50:55 CEST 2007


Leif B. Kristensen wrote:

>>> You don't need to escape text when using the Python DB-API.
>>> DB-API will do everything for you.
>>> For example:
>>>  SQL = 'INSERT into TEMP data = %s'
>>>  c.execute(SQL, """ text containing ' and ` and all other stuff we
>>.  might
>>.   read from the network""")
>>. 
>>> You see, the SQL string contains a %s placeholder, but insetad of
>>> executing the simple string expansion SQL % """....""", I call the
>>> execute method with the text as a second *parametar*. Everything else
>>> is magic :).
> 
>> Sure, but does this work if you need more than one placeholder?

> Yes it works with more than one placeholder.

Yes, BUT: I have found that all of the placeholders must be STRINGS!

If I try to use other data types (%d, %f, etc.), I get an error:

File "/usr/lib/python2.5/site-packages/MySQLdb/cursors.py", line 149, in execute
    query = query % db.literal(args)
TypeError: float argument required

It's not a huge problem to convert my non-string args, but it
seems like this should be fixed if it's a bug, no?

- Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20071023/a11b8e43/attachment.html>


More information about the Python-list mailing list