SQL and CSV
nickle at gmail.com
Fri May 8 10:22:02 EDT 2009
On May 8, 1:49 pm, "andrew cooke" <and... at acooke.org> wrote:
> Lawrence D'Oliveiro wrote:
> > In message <gu0ofm$oj9$0... at news.t-online.com>, Peter Otten wrote:
> >> While it may not matter here using placeholders instead of manually
> >> escaping user-provided values is a good habit to get into.
> > Until you hit things it can't deal with.
> The post you are replying to was talking about using the SQL library's "?"
> syntax that automatically escapes values. The usual reason this is
> recommended (if I have understood correctly) is that the library code is
> much more likely to foil injection attacks. I have seen this mentioned
> often and assume it is good advice.
> Can you expand on your comment? I assume you are thinking of how the
> library might handle some strange class. But aren't the number of types
> limited by SQL? In which case a "thing that can't be handled" could
> presumably be managed by adding an appropriate __str__ or __float__ or
> whatever? And you would still use the library to give safety with other
> Maybe you could give an example of the kind of problem you're thinking of?
Injection attacks aren't an issue, its a local app.
It's part of a reconciliation system, where sometimes data is in csv
files. If you want the whole csv file, you can use csv module without
In some cases, I need to manipulate the data.
The choices are hard code the manipulation, or load the data from a
So what I've got is the query in the config and I can process it.
More information about the Python-list