strange use of %s
Chris Angelico
rosuav at gmail.com
Tue Apr 19 01:31:44 EDT 2011
On Tue, Apr 19, 2011 at 3:22 PM, Dennis Lee Bieber
<wlfraed at ix.netcom.com> wrote:
> On Mon, 18 Apr 2011 09:44:40 +0100, Tim Golden <mail at timgolden.me.uk>
> declaimed the following in gmane.comp.python.general:
>
>
>> sql = "SELECT ... WHERE name LIKE '%' + ? + '%'"
>> q = db.cursor ()
>> q.execute (sql, [response])
>>
> That won't work properly either (at least not in MySQLdb -- which
> quotes the values put into the placeholder; you'd end up with
> '%''value''%'
You'd end up with "... LIKE '%' + 'value' + '%'" which is perhaps
overkill (it forces the database engine to concatenate three strings),
but at least it's safe.
Chris Angelico
More information about the Python-list
mailing list