Nick nickle at gmail.com
Fri May 8 10:22:02 EDT 2009

On May 8, 1:49 pm, "andrew cooke" <and... at acooke.org> wrote:
> Lawrence D'Oliveiro wrote:
> > In message <gu0ofm$oj9$0... at news.t-online.com>, Peter Otten wrote:
> >> While it may not matter here using placeholders instead of manually
> >> escaping user-provided values is a good habit to get into.
> > Until you hit things it can't deal with.
> The post you are replying to was talking about using the SQL library's "?"
> syntax that automatically escapes values.  The usual reason this is
> recommended (if I have understood correctly) is that the library code is
> much more likely to foil injection attacks.  I have seen this mentioned
> often and assume it is good advice.
> Can you expand on your comment?  I assume you are thinking of how the
> library might handle some strange class.  But aren't the number of types
> limited by SQL?  In which case a "thing that can't be handled" could
> presumably be managed by adding an appropriate __str__ or __float__ or
> whatever?  And you would still use the library to give safety with other
> values.
> Maybe you could give an example of the kind of problem you're thinking of?
> Thanks,
> Andrew

Injection attacks aren't an issue, its a local app.

It's part of a reconciliation system, where sometimes data is in csv
files. If you want the whole csv file, you can use csv module without
a problem.

In some cases, I need to manipulate the data.

The choices are hard code the manipulation, or load the data from a
config file.

So what I've got is the query in the config and I can process it.


More information about the Python-list mailing list