On Thu, Oct 22, 2020 at 8:12 PM Hans Ginzel <h...@matfyz.cz> wrote:
>
> Hello,
>
> consider this snippet please
>
> cursor.execute(f"INSERT INTO {table} VALUES (1, '{}');")
> SyntaxError: f-string: empty expression not allowed
>
> It is (absolutely) correct to insert empty json into database table field.
> Empty expression in f-string should
> * (silently) expand as '{}' (opening and closing braces),
> * generate a (compile time) warning if requested, e.g. with -W.
My recommendation here would be to separate the part where you insert
a table name from the rest of the statement:
cursor.execute(f"INSERT INTO {table} "
"VALUES (1, '{}')")
That way, you aren't at risk of SQL injection in the rest of the
statement, and you have a very clear separation saying "hey this bit
is doing something really unusual and using interpolation in SQL".
ChrisA
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/python-ideas@python.org/message/DS3RXBCWFP2UEQTM2CAM4ZBLNBAECZWJ/
Code of Conduct: http://python.org/psf/codeofconduct/
