String substitution VS proper mysql escaping

MRAB python at mrabarnett.plus.com
Sat Aug 28 22:12:03 CEST 2010


On 28/08/2010 20:51, Νίκος wrote:
> On 28 Αύγ, 22:35, MRAB<pyt... at mrabarnett.plus.com>  wrote:
>
>> """When there's more than one value you provide a tuple. It's makes sense
>> from the point of view of consistency that you also provide a tuple when
>> there's only one value."""
>
> Can you write something that make use of more than one value?
>
>
> Perhaps you mena somethign like?
>
> cursor.execute( '''SELECT hits FROM counters WHERE page = %s and date
> = %s and host = %s''' , (page,) )
>
> Is this what you mean?
>
> All those special format strign identifiers will grab their values out
> of the tuple?

Your example contains 3 placeholders, so it needs 3 values:

     cursor.execute('''SELECT hits FROM counters WHERE page = %s and 
date = %s and host = %s''', (page, date, host))

This will be safe. Any quoting that's needed will be done by .execute().



More information about the Python-list mailing list