Michael Mabin wrote: > Tino, dude, I'm afraid I lied about my previous post being the last > word. There are some things you said here that must be addressed.
Good grief, is there no utterance so inconsequential that you will walk away from it without yet another round of retaliation? I believe that all people were trying to convey is: 1. There are some data patterns that cannot be directly incorporated into SQL statements without additional processing, regardless of whether the "intention" of the data's originator is malevolent. A good example is a string value containing an apostrophe, which in most SQL implementations you can escape by preceding the apostrophe with another apostrophe. 2. SQL drivers in Python are written so that no matter what the values of the data may be, and no matter which backend they implement, data may safely be passed as a tuple to a parameterized statement without such cleansing because the drivers are written to ensure "dangerous" values are appropriately handled. Having said all that, if you are positive none of your string data contains apostrophes you are, of course, free to build SQL statements yourself - though doing so will on some systems lose you the speed advantages offered by "prepared statements". Similarly, if you are *not* positive of the quality of your data you are free to do the escaping in your logic rather than using parameterized queries. This could be called "buying a dog and barking yourself". regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/ -- http://mail.python.org/mailman/listinfo/python-list
