[Python-ideas] Re: f-string: empty expression should be allowed

Hans Ginzel Thu, 22 Oct 2020 05:49:58 -0700

On Thu, Oct 22, 2020 at 11:32:36PM +1100, Chris Angelico wrote:

My recommendation here would be to separate the part where you insert
a table name from the rest of the statement:
cursor.execute(f"INSERT INTO {table} "
   "VALUES (1, '{}')")
That way, you aren't at risk of SQL injection in the rest of the
statement, and you have a very clear separation saying "hey this bit
is doing something really unusual and using interpolation in SQL".


Thank you, that is the best suggestion.

--
H.
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at 
https://mail.python.org/archives/list/python-ideas@python.org/message/RGX7KRJUUJ6O73H25FMBWEQWEKCX2QCV/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-ideas] Re: f-string: empty expression should be allowed

Reply via email to