String substitution VS proper mysql escaping

Nik the Greek nikos.the.gr33k at gmail.com
Mon Aug 30 04:33:56 CEST 2010


On 30 Αύγ, 05:04, MRAB <pyt... at mrabarnett.plus.com> wrote:

when iam trying to pass a tuple to the execute methos should i pass it
like this?

cursor.execute(''' SELECT hits FROM counters WHERE page = %s and
date = %s and host = %s ''' % (page, date, host) )


or like

tuple = (page, host, date)

cursor.execute(''' SELECT hits FROM counters WHERE page = %s and
date = %s and host = %s ''' % (tuple) )


Or is it the same thing?

> > =========================
> > I'm asking this to see why
>
> > cursor.execute(''' SELECT hits FROM counters WHERE page = '%s' and
> > date = '%s' and host = '%s' ''' % (page, date, host) )
>
> > does work, while same thign qithout the quotes
>
> > cursor.execute(''' SELECT hits FROM counters WHERE page = %s and date
> > = %s and host = %s ''' % (page, date, host) )
>
> > doesn't. Dont know why but quotes somehopw confuse me both in strings
> > and sql_queries as well when it comes to substitutions.
>
> Don't quote the placeholders yourself. Let the method do it.

No, iam taking substitution here not mysql escaping.

Cursor.execute(''' SELECT hits FROM counters WHERE page = '%s' and
date = '%s' and host = '%s' ''' % (page, date, host) )

As it is above it works , with double quotes still works but if i
leave it unquoted it doesn't.

This is because without sigle or double quotes the the method doesn't
know where a value begins and here it ends? That why it needs quoting?



More information about the Python-list mailing list