wes weston wrote:
Dennis Lee Bieber wrote:
Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.
cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))
Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.
It may have efficiency advantages if the DB caches requests. But the main
advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue
might contain malicious SQL.
Kent
--
http://mail.python.org/mailman/listinfo/python-list
