On 6/25/2010 12:09 AM, Paul Rubin wrote:
Nobody<nob...@nowhere.com> writes:
More generally, as a program gets more complex, "this will work so long as
we do X every time without fail" approaches "this won't work".
Yes. I was just looking at some of my own code. Out of about 100
SQL statements, I'd used manual escaping once, in code where the WHERE
clause is built up depending on what information is available for the
search. It's done properly, using "MySQLdb.escape_string(s)", which
is what's used inside "cursor.execute". Looking at the code, I
now realize that it would have been better to
add sections to the SQL string with standard escapes, and at the same
time, append the key items to a list. Then the list can be
converted to a tuple for submission to "cursor.execute".
John Nagle
--
http://mail.python.org/mailman/listinfo/python-list
