String substitution VS proper mysql escaping

MRAB python at
Sat Aug 28 21:35:08 CEST 2010

On 28/08/2010 20:10, Νίκος wrote:
> On 20 Αύγ, 09:04, Nik Gr< at>  wrote:
>> With regard to the "%" operator, it considers the string on the left to
>> be a format string with multiple %blah things in it to replace. The
>> thing on the right is a sequence of items to place into the format
>> string.
> Can you please clarify what you mean by that?

     format_string % (item_1, item_2, item_3)

>> In you usage above you're supplying "page" instead of "(page,)".
>> The latter matches the .execute() method's requirements.
> I tried it and "page" as a string and not a as a single element tuple
> works ok.

Although the .execute() method might accept a single string:

     cursor.execute(sql_query, page)

as well as a tuple containing the string:

     cursor.execute(sql_query, (page, ))

try to be consistent. As I said before:

"""When there's more than one value you provide a tuple. It's makes sense
from the point of view of consistency that you also provide a tuple when
there's only one value."""

More information about the Python-list mailing list