String substitution VS proper mysql escaping

Νίκος nikos.the.gr33k at
Sat Aug 28 21:48:52 CEST 2010

On 28 Αύγ, 22:35, MRAB <pyt... at> wrote:
> On 28/08/2010 20:10, Νίκος wrote:> On 20 Αύγ, 09:04, Nik Gr< at>  wrote:
> >> With regard to the "%" operator, it considers the string on the left to
> >> be a format string with multiple %blah things in it to replace. The
> >> thing on the right is a sequence of items to place into the format
> >> string.
> > Can you please clarify what you mean by that?
> Basically:
>      format_string % (item_1, item_2, item_3)

I still don't follow by means that i dotn see the point here...

> >> In you usage above you're supplying "page" instead of "(page,)".
> >> The latter matches the .execute() method's requirements.
> > I tried it and "page" as a string and not a as a single element tuple
> > works ok.
> Although the .execute() method might accept a single string:
>      cursor.execute(sql_query, page)
> as well as a tuple containing the string:
>      cursor.execute(sql_query, (page, ))
> try to be consistent. As I said before:
> """When there's more than one value you provide a tuple. It's makes sense
> from the point of view of consistency that you also provide a tuple when
> there's only one value."""

cursor.execute(sql_query, (page, ))

is different than?

cursor.execute(sql_query, page, )


Why in mysql string substitution example i have to use page='%s' and
in the comma way(automatic mysql convertion i dont need the single
quotes and use it as page=%s ?
What is the diff?

More information about the Python-list mailing list