jws wrote:
My ticket was closed - http://code.djangoproject.com/ticket/470
I'd like to clarify the reasoning, since I think it pertains to a
larger issue. My understanding of Adrian's comment is that there
currently is no infrastructure in Django to escape special characters
in strings in a way that is specific to each backend. Admittedly, I
haven't dug in very far yet, but that seems like an odd omission.
Django uses bound parameters in queries. It means that a query that fed
to database never contain any actual strings or numbers but instead
placeholders:
SELECT name FROM some_table WHERE id=%s
%s is a placeholder (though looking similar to Python's specifier). When
database executes query and encounter a placeholder it only then asks
client for data for this placeholder. Data itself provided separately in
native format.
This serves two purposes:
- you don't need escaping since database has already parsed and prepared
query and just picks data in a known format
- similar queries which only differs in data become abslutely identical
which means that database may cache its parsed state and just use
different parameters. This GREATLY improves performance.
