On Mon, 2006-10-09 at 19:03 +0100, Tom Smith wrote: > In trying to do some custom SQLto search for words (so "Three" but > not "Threesome") > > ... but because the call adds quotes.. I have had to do this... > > for word in words: > sql = """select count(*) from myapp_product WHERE title > LIKE (%s) > AND title RLIKE %s """ > word1 = '%%%s%%' % word > word2 = '[[:<:]]%s[[:>:]]'% word > cursor.execute(sql, [word1, word2]) > > So that the params get quoted up nicely with the necessary sql... > very ungainly... > > It would be nice if there was a way to use custom sql without having > to pass params to it.
Can you explain this in a different way? It's not clear what problem you are trying to solve. If you don't want to use params, don't use them; but then you are responsible for doing the SQL quoting yourself (and any mistakes will leave you vulnerable to an SQL-injection attack). Django just uses the standard Python DB-API 2.0 interfaces for interacting with the connections and cursors, so everything you have written above is standard Python stuff (needing to put in "%%" when you need "%" is the necessary side-effect of having an escape character in your output). Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
