In message <[EMAIL PROTECTED]>, Steve Holden wrote: > Lawrence D'Oliveiro wrote: >> In message <[EMAIL PROTECTED]>, Steve >> Holden wrote: >> >> >>>Lawrence D'Oliveiro wrote: >>> >>>>In message <[EMAIL PROTECTED]>, Steve >>>>Holden wrote: >>>> >>>> >>>> >>>>>When you use the DB API correctly and paramterise your queries you >>>>>still need to quote wildcards in search arguments, but you absolutely >>>>>shouldn't quote the other SQL specials. >>>>> >>>>>That's what parameterised queries are for on the first place... >>>> >>>> >>>>So you're suggesting I quote the wildcards, then rely on autoquoted >>>>parameters to handle the rest? Unfortunately, that's stupid mistake >>>>number 2. >>> >>>Ah, so your quoting function will deduce the context in which arguments >>>intended for parameter substitution in the query will be used? Or are >>>you suggesting that it's unwise to rely on autoquoted parameters? >> >> >> No, I'm saying it's _incorrect_ to use the existing autoquoting mechanism >> in combination with a separate function that escapes the wildcards. I >> previously described the two stupid mistakes that can arise from having a >> separate function for doing just the wildcard quoting: this is the second >> one. >> > Sadly your assertions alone fail to convince. Perhaps you could provide > a concrete example?
Sorry, that turned out to be wrong. You do in fact need to escape the escapes on wildcards. -- http://mail.python.org/mailman/listinfo/python-list
