Leif K-Brooks skrev: > But Python's DB-API (the standard way to connect to an SQL database > from Python) makes escaping SQL strings automatic. You can do this: > > cursor.execute('UPDATE foo SET bar=%s WHERE id=%s', ["foo'bar", 123])
So. I've been writing SQL queries in Python like this, using PostgreSQL and psycopg: cursor.execute("select * from foo where bar=%s" % baz) Is that wrong, and how should I have been supposed to know that this is bad syntax? No doc I have seen actually has told me so. -- Leif Biberg Kristensen http://solumslekt.org/ -- http://mail.python.org/mailman/listinfo/python-list