Lawrence D'Oliveiro wrote: > In message <gu0ofm$oj9$0...@news.t-online.com>, Peter Otten wrote: > >> While it may not matter here using placeholders instead of manually >> escaping user-provided values is a good habit to get into. > > Until you hit things it can't deal with.
The post you are replying to was talking about using the SQL library's "?" syntax that automatically escapes values. The usual reason this is recommended (if I have understood correctly) is that the library code is much more likely to foil injection attacks. I have seen this mentioned often and assume it is good advice. Can you expand on your comment? I assume you are thinking of how the library might handle some strange class. But aren't the number of types limited by SQL? In which case a "thing that can't be handled" could presumably be managed by adding an appropriate __str__ or __float__ or whatever? And you would still use the library to give safety with other values. Maybe you could give an example of the kind of problem you're thinking of? Thanks, Andrew -- http://mail.python.org/mailman/listinfo/python-list
