Sqlite3. Substitution of names in query.

Carsten Haese carsten.haese at gmail.com
Sun Nov 1 01:12:19 CET 2009


Lawrence D'Oliveiro wrote:
> In message <mailman.2376.1257005738.2807.python-list at python.org>, Carsten 
> Haese wrote:
> 
>> Lawrence D'Oliveiro wrote:
>>
>>> In message <mailman.2357.1256964121.2807.python-list at python.org>, Dennis
>>> Lee Bieber wrote:
>>>
>>>> This way regular string interpolation operations (or whatever Python
>>>> 3.x has replaced it with) are safe to construct the SQL, leaving only
>>>> user supplied (or program generated) data values to be passed via the
>>>> DB-API parameter system -- so that they are properly escaped and
>>>> rendered safe.
>>> Mixing the two is another recipe for confusion and mistakes.
>> Mixing the two is necessary.
>> ...
>> As long as you understand what you're doing, there should be no confusion.
>> (And if you don't understand what you're doing, you shouldn't be doing
>> it!)
> 
> But if you understand what you're doing, you don't need to mix the two.

Are we talking about the same thing here? I thought we're talking about
string interpolation and parameter binding, and I explained that mixing
those two is necessary if you have a query in which the "movable" bits
are identifiers or other syntax elements.

On what grounds are you asserting that it's not necessary to mix the
two? Please elaborate your point.

--
Carsten Haese
http://informixdb.sourceforge.net




More information about the Python-list mailing list