Sqlite3. Substitution of names in query.
carsten.haese at gmail.com
Sun Nov 1 01:12:19 CET 2009
Lawrence D'Oliveiro wrote:
> In message <mailman.2376.1257005738.2807.python-list at python.org>, Carsten
> Haese wrote:
>> Lawrence D'Oliveiro wrote:
>>> In message <mailman.2357.1256964121.2807.python-list at python.org>, Dennis
>>> Lee Bieber wrote:
>>>> This way regular string interpolation operations (or whatever Python
>>>> 3.x has replaced it with) are safe to construct the SQL, leaving only
>>>> user supplied (or program generated) data values to be passed via the
>>>> DB-API parameter system -- so that they are properly escaped and
>>>> rendered safe.
>>> Mixing the two is another recipe for confusion and mistakes.
>> Mixing the two is necessary.
>> As long as you understand what you're doing, there should be no confusion.
>> (And if you don't understand what you're doing, you shouldn't be doing
> But if you understand what you're doing, you don't need to mix the two.
Are we talking about the same thing here? I thought we're talking about
string interpolation and parameter binding, and I explained that mixing
those two is necessary if you have a query in which the "movable" bits
are identifiers or other syntax elements.
On what grounds are you asserting that it's not necessary to mix the
two? Please elaborate your point.
More information about the Python-list