SQL and CSV
andrew cooke
andrew at acooke.org
Fri May 8 08:49:07 EDT 2009
Lawrence D'Oliveiro wrote:
> In message <gu0ofm$oj9$00$1 at news.t-online.com>, Peter Otten wrote:
>
>> While it may not matter here using placeholders instead of manually
>> escaping user-provided values is a good habit to get into.
>
> Until you hit things it can't deal with.
The post you are replying to was talking about using the SQL library's "?"
syntax that automatically escapes values. The usual reason this is
recommended (if I have understood correctly) is that the library code is
much more likely to foil injection attacks. I have seen this mentioned
often and assume it is good advice.
Can you expand on your comment? I assume you are thinking of how the
library might handle some strange class. But aren't the number of types
limited by SQL? In which case a "thing that can't be handled" could
presumably be managed by adding an appropriate __str__ or __float__ or
whatever? And you would still use the library to give safety with other
values.
Maybe you could give an example of the kind of problem you're thinking of?
Thanks,
Andrew
More information about the Python-list
mailing list