how to replace and string in a "SELECT ... IN ()"
d3vvnull at gmail.com
Mon Sep 29 01:52:14 CEST 2008
Sadly no. There is no utterance too inconsequential.
On Sun, Sep 28, 2008 at 3:10 PM, Steve Holden <steve at holdenweb.com> wrote:
> Michael Mabin wrote:
> > Tino, dude, I'm afraid I lied about my previous post being the last
> > word. There are some things you said here that must be addressed.
> Good grief, is there no utterance so inconsequential that you will walk
> away from it without yet another round of retaliation?
> I believe that all people were trying to convey is:
> 1. There are some data patterns that cannot be directly incorporated
> into SQL statements without additional processing, regardless of whether
> the "intention" of the data's originator is malevolent. A good example
> is a string value containing an apostrophe, which in most SQL
> implementations you can escape by preceding the apostrophe with another
> 2. SQL drivers in Python are written so that no matter what the values
> of the data may be, and no matter which backend they implement, data may
> safely be passed as a tuple to a parameterized statement without such
> cleansing because the drivers are written to ensure "dangerous" values
> are appropriately handled.
> Having said all that, if you are positive none of your string data
> contains apostrophes you are, of course, free to build SQL statements
> yourself - though doing so will on some systems lose you the speed
> advantages offered by "prepared statements". Similarly, if you are *not*
> positive of the quality of your data you are free to do the escaping in
> your logic rather than using parameterized queries. This could be called
> "buying a dog and barking yourself".
> Steve Holden +1 571 484 6266 +1 800 494 3119
> Holden Web LLC http://www.holdenweb.com/
| _ | * | _ |
| _ | _ | * |
| * | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Python-list