String substitution VS proper mysql escaping

Νίκος nikos.the.gr33k at gmail.com
Sun Aug 29 07:13:49 CEST 2010


On 28 Αύγ, 23:12, MRAB <pyt... at mrabarnett.plus.com> wrote:
> On 28/08/2010 20:51, Νίκος wrote:
>
>
>
>
>
>
>
>
>
> > On 28 Αύγ, 22:35, MRAB<pyt... at mrabarnett.plus.com>  wrote:
>
> >> """When there's more than one value you provide a tuple. It's makes sense
> >> from the point of view of consistency that you also provide a tuple when
> >> there's only one value."""
>
> > Can you write something that make use of more than one value?
>
> > Perhaps you mena somethign like?
>
> > cursor.execute( '''SELECT hits FROM counters WHERE page = %s and date
> > = %s and host = %s''' , (page,) )
>
> > Is this what you mean?
>
> > All those special format strign identifiers will grab their values out
> > of the tuple?
>
> Your example contains 3 placeholders, so it needs 3 values:
>
>      cursor.execute('''SELECT hits FROM counters WHERE page = %s and
> date = %s and host = %s''', (page, date, host))
>
> This will be safe. Any quoting that's needed will be done by .execute().

Will this also work without the parentheses?

> cursor.execute('''SELECT hits FROM counters WHERE page = %s and
> date = %s and host = %s''', page, date, host)

or python will not allow it cause it might think there are 4 args
isntead of two?


> cursor.execute(''' SELECT hits FROM counters WHERE page = '%s' and
> date = '%s' and host = '%s' ''', (page, date, host))

Whats happens if i attempt to also quote by single or double quoting
the above although now i'm aware that .execute method does the quoting
for me?



More information about the Python-list mailing list