Manual parameter substitution in sqlite3

Christian Gollwitzer auriocus at gmx.de
Thu Mar 2 03:55:54 EST 2017


Am 28.02.17 um 18:28 schrieb Skip Montanaro:
> Most of the time (well, all the time if you're smart), you let the
> database adapter do parameter substitution for you to avoid SQL
> injection attacks (or stupid users). So:
>
>     curs.execute("select * from mumble where key = ?", (key,))
>
> If you want to select from several possible keys, it would be nice to
> be able to do this:
>
>     curs.execute("select * from mumble where key in (?)", (keys,))
>
> but that doesn't work.

Instead of building the query on the fly (with quoting hell etc.), you 
could do it "the (theoretical) right way", which is using another table. 
Insert your keys into a table, maybe temporary one, and then do

select * from mumble where key in (select key from keytable)

In theory that should also be faster, but unless you have a thousand 
keys, there will be no noticeable difference.

	Christian



More information about the Python-list mailing list