how to replace and string in a "SELECT ... IN ()"

Michael Mabin d3vvnull at gmail.com
Mon Sep 29 01:52:14 CEST 2008


Sadly no.  There is no utterance too inconsequential.

On Sun, Sep 28, 2008 at 3:10 PM, Steve Holden <steve at holdenweb.com> wrote:

> Michael Mabin wrote:
> > Tino, dude, I'm afraid I lied about my previous post being the last
> > word.  There are some things you said here that must be addressed.
>
> Good grief, is there no utterance so inconsequential that you will walk
> away from it without yet another round of retaliation?
>
> I believe that all people were trying to convey is:
>
> 1. There are some data patterns that cannot be directly incorporated
> into SQL statements without additional processing, regardless of whether
> the "intention" of the data's originator is malevolent. A good example
> is a string value containing an apostrophe, which in most SQL
> implementations you can escape by preceding the apostrophe with another
> apostrophe.
>
> 2. SQL drivers in Python are written so that no matter what the values
> of the data may be, and no matter which backend they implement, data may
> safely be passed as a tuple to a parameterized statement without such
> cleansing because the drivers are written to ensure "dangerous" values
> are appropriately handled.
>
> Having said all that, if you are positive none of your string data
> contains apostrophes you are, of course, free to build SQL statements
> yourself - though doing so will on some systems lose you the speed
> advantages offered by "prepared statements". Similarly, if you are *not*
> positive of the quality of your data you are free to do the escaping in
> your logic rather than using parameterized queries. This could be called
> "buying a dog and barking yourself".
>
> regards
>  Steve
> --
> Steve Holden        +1 571 484 6266   +1 800 494 3119
> Holden Web LLC              http://www.holdenweb.com/
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>



-- 
| _ | * | _ |
| _ | _ | * |
| *  | * | * |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20080928/dc2cc944/attachment.html>


More information about the Python-list mailing list