My understanding is that for a sql prefix the most valuable part is to be able
to know that it was created from a literal. No other magic, definitely not
auto-executing. Then it would be legal to write
result = conn.execute(sql"SELECT * FROM people WHERE id=?",
user_id)
but not
result = conn.execute(f"SELECT * FROM people WHERE id={user_id}")
In order to achieve this, the `execute()` method only has to look at
the type of its argument, and throw an error if it's a plain string.
Perhaps with some more imagination we can make
result = conn.execute(sql"SELECT * FROM people WHERE id={user_id}")
work too, but in this case the `sql"..."` token would only create an
`UnpreparedStatement` object, which expects a variable named "user_id",
and then the `conn.execute()` method would pass locals()/globals() into
the `.prepare()` method of that statement, binding those values to
the placeholders. Crucially, the `.prepare()` method shouldn't modify the
object, but return a new PreparedStatement, which then gets executed
by the `conn.execute()`.
_______________________________________________
Python-ideas mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at
https://mail.python.org/archives/list/[email protected]/message/Y4ISQCWYFNC5DNGUQYRXY5IZMOYUAYVP/
Code of Conduct: http://python.org/psf/codeofconduct/
