Sqlite3. Substitution of names in query.

Carsten Haese carsten.haese at gmail.com
Sat Oct 31 17:15:09 CET 2009

Lawrence D'Oliveiro wrote:
> In message <mailman.2357.1256964121.2807.python-list at python.org>, Dennis Lee 
> Bieber wrote:
>> This way regular string interpolation operations (or whatever Python
>> 3.x has replaced it with) are safe to construct the SQL, leaving only
>> user supplied (or program generated) data values to be passed via the
>> DB-API parameter system -- so that they are properly escaped and
>> rendered safe.
> Mixing the two is another recipe for confusion and mistakes.

Mixing the two is necessary. According to the SQL standard, parameters
can only take the place of literal values. Parameters can't take the
place of identifiers or keywords that make up the structure of the query.

So, you use string manipulation to build the structure of the query, and
then you use parameter binding to fill values into the query. They are
two different tools for two fundamentally different jobs. As long as you
understand what you're doing, there should be no confusion. (And if you
don't understand what you're doing, you shouldn't be doing it!)

Carsten Haese

More information about the Python-list mailing list