how to replace and string in a "SELECT ... IN ()"

Steve Holden steve at
Sun Sep 28 22:10:03 CEST 2008

Michael Mabin wrote:
> Tino, dude, I'm afraid I lied about my previous post being the last
> word.  There are some things you said here that must be addressed.

Good grief, is there no utterance so inconsequential that you will walk
away from it without yet another round of retaliation?

I believe that all people were trying to convey is:

1. There are some data patterns that cannot be directly incorporated
into SQL statements without additional processing, regardless of whether
the "intention" of the data's originator is malevolent. A good example
is a string value containing an apostrophe, which in most SQL
implementations you can escape by preceding the apostrophe with another

2. SQL drivers in Python are written so that no matter what the values
of the data may be, and no matter which backend they implement, data may
safely be passed as a tuple to a parameterized statement without such
cleansing because the drivers are written to ensure "dangerous" values
are appropriately handled.

Having said all that, if you are positive none of your string data
contains apostrophes you are, of course, free to build SQL statements
yourself - though doing so will on some systems lose you the speed
advantages offered by "prepared statements". Similarly, if you are *not*
positive of the quality of your data you are free to do the escaping in
your logic rather than using parameterized queries. This could be called
"buying a dog and barking yourself".

Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC    

More information about the Python-list mailing list