String substitution VS proper mysql escaping
python at mrabarnett.plus.com
Sat Aug 28 22:12:03 CEST 2010
On 28/08/2010 20:51, Νίκος wrote:
> On 28 Αύγ, 22:35, MRAB<pyt... at mrabarnett.plus.com> wrote:
>> """When there's more than one value you provide a tuple. It's makes sense
>> from the point of view of consistency that you also provide a tuple when
>> there's only one value."""
> Can you write something that make use of more than one value?
> Perhaps you mena somethign like?
> cursor.execute( '''SELECT hits FROM counters WHERE page = %s and date
> = %s and host = %s''' , (page,) )
> Is this what you mean?
> All those special format strign identifiers will grab their values out
> of the tuple?
Your example contains 3 placeholders, so it needs 3 values:
cursor.execute('''SELECT hits FROM counters WHERE page = %s and
date = %s and host = %s''', (page, date, host))
This will be safe. Any quoting that's needed will be done by .execute().
More information about the Python-list