In message <[EMAIL PROTECTED]>, Duncan Booth wrote: > However, your QuoteSQL messes up every time because it wraps double > quotes round the whole string, so it isn't suitable for use with > parameterised queries at all. If you care to modify it to work in that > situation I think you'll find that the only characters you need to quote > are \, % and _.
That won't work--that puts you into stupid mistake number 2. I think autoquoting is fine as far as it goes. But it cannot cope with wildcards, since it can't tell whether the string is being used in a LIKE clause without doing its own parsing of the MySQL query. And there are situations where you cannot rely on it, as in the QuoteSQLList example I gave earlier. This is why my QuoteSQL function cannot be designed to work together with autoquoting, but has to be used as a complete replacement for it. > In particular it currently turns newlines in backslash followed by n which > (since MySQL ignores the extra backslash escape) is equivalent to turning > newlines into the character n. But \n is valid MySQL syntax for a newline. -- http://mail.python.org/mailman/listinfo/python-list