strange use of %s

Chris Angelico rosuav at gmail.com
Tue Apr 19 07:31:44 CEST 2011


On Tue, Apr 19, 2011 at 3:22 PM, Dennis Lee Bieber
<wlfraed at ix.netcom.com> wrote:
> On Mon, 18 Apr 2011 09:44:40 +0100, Tim Golden <mail at timgolden.me.uk>
> declaimed the following in gmane.comp.python.general:
>
>
>>    sql = "SELECT ... WHERE name LIKE '%' + ? + '%'"
>>    q = db.cursor ()
>>    q.execute (sql, [response])
>>
>        That won't work properly either (at least not in MySQLdb -- which
> quotes the values put into the placeholder; you'd end up with
>        '%''value''%'

You'd end up with "... LIKE '%' + 'value' + '%'" which is perhaps
overkill (it forces the database engine to concatenate three strings),
but at least it's safe.

Chris Angelico



More information about the Python-list mailing list