Sqlite3. Substitution of names in query.
Lawrence D'Oliveiro
ldo at geek-central.gen.new_zealand
Sat Oct 31 19:51:27 EDT 2009
In message <mailman.2376.1257005738.2807.python-list at python.org>, Carsten
Haese wrote:
> Lawrence D'Oliveiro wrote:
>
>> In message <mailman.2357.1256964121.2807.python-list at python.org>, Dennis
>> Lee Bieber wrote:
>>
>>> This way regular string interpolation operations (or whatever Python
>>> 3.x has replaced it with) are safe to construct the SQL, leaving only
>>> user supplied (or program generated) data values to be passed via the
>>> DB-API parameter system -- so that they are properly escaped and
>>> rendered safe.
>>
>> Mixing the two is another recipe for confusion and mistakes.
>
> Mixing the two is necessary.
> ...
> As long as you understand what you're doing, there should be no confusion.
> (And if you don't understand what you're doing, you shouldn't be doing
> it!)
But if you understand what you're doing, you don't need to mix the two.
More information about the Python-list
mailing list