Sadly no. There is no utterance too inconsequential. On Sun, Sep 28, 2008 at 3:10 PM, Steve Holden <[EMAIL PROTECTED]> wrote:
> Michael Mabin wrote: > > Tino, dude, I'm afraid I lied about my previous post being the last > > word. There are some things you said here that must be addressed. > > Good grief, is there no utterance so inconsequential that you will walk > away from it without yet another round of retaliation? > > I believe that all people were trying to convey is: > > 1. There are some data patterns that cannot be directly incorporated > into SQL statements without additional processing, regardless of whether > the "intention" of the data's originator is malevolent. A good example > is a string value containing an apostrophe, which in most SQL > implementations you can escape by preceding the apostrophe with another > apostrophe. > > 2. SQL drivers in Python are written so that no matter what the values > of the data may be, and no matter which backend they implement, data may > safely be passed as a tuple to a parameterized statement without such > cleansing because the drivers are written to ensure "dangerous" values > are appropriately handled. > > Having said all that, if you are positive none of your string data > contains apostrophes you are, of course, free to build SQL statements > yourself - though doing so will on some systems lose you the speed > advantages offered by "prepared statements". Similarly, if you are *not* > positive of the quality of your data you are free to do the escaping in > your logic rather than using parameterized queries. This could be called > "buying a dog and barking yourself". > > regards > Steve > -- > Steve Holden +1 571 484 6266 +1 800 494 3119 > Holden Web LLC http://www.holdenweb.com/ > > -- > http://mail.python.org/mailman/listinfo/python-list > -- | _ | * | _ | | _ | _ | * | | * | * | * |
-- http://mail.python.org/mailman/listinfo/python-list