String substitution VS proper mysql escaping

Nik Gr nikos.the.gr33k at gmail.com
Fri Aug 20 08:04:16 CEST 2010


  Στις 20/8/2010 8:22 πμ, ο/η Cameron Simpson έγραψε:
> [...snip...]
> | Why does the page variable which is actually a string needs to be a
> | tuple or a list and not just as a string which is what it actually
> | is?
>
> With regard to the "%" operator, it considers the string on the left to
> be a format string with multiple %blah things in it to replace. The
> thing on the right is a sequence of items to place into the format
> string.
>
I didn't undersatnd.

> So the thing on the right is_supposed_  to
> | I have a strong desire to use it like this:
> | cursor.execute( '''SELECT hits FROM counters WHERE page = %s''' , page )
> | opposed to tuple.
>
> Hmm. This isn't the python "%" format operator at all.
> This is the database API's .execute() method.
> If it expects its second argument to be a sequence of parameters
> (which is does) then you need to supply a sequence of parameters.
> It is that simple!
>
> In you usage above you're supplying "page" instead of "(page,)".
> The latter matches the .execute() method's requirements.
I don't follow either.



More information about the Python-list mailing list