On May 8, 1:49 pm, "andrew cooke" <and...@acooke.org> wrote: > Lawrence D'Oliveiro wrote: > > In message <gu0ofm$oj9$0...@news.t-online.com>, Peter Otten wrote: > > >> While it may not matter here using placeholders instead of manually > >> escaping user-provided values is a good habit to get into. > > > Until you hit things it can't deal with. > > The post you are replying to was talking about using the SQL library's "?" > syntax that automatically escapes values. The usual reason this is > recommended (if I have understood correctly) is that the library code is > much more likely to foil injection attacks. I have seen this mentioned > often and assume it is good advice. > > Can you expand on your comment? I assume you are thinking of how the > library might handle some strange class. But aren't the number of types > limited by SQL? In which case a "thing that can't be handled" could > presumably be managed by adding an appropriate __str__ or __float__ or > whatever? And you would still use the library to give safety with other > values. > > Maybe you could give an example of the kind of problem you're thinking of? > > Thanks, > Andrew
Injection attacks aren't an issue, its a local app. It's part of a reconciliation system, where sometimes data is in csv files. If you want the whole csv file, you can use csv module without a problem. In some cases, I need to manipulate the data. The choices are hard code the manipulation, or load the data from a config file. So what I've got is the query in the config and I can process it. Nick -- http://mail.python.org/mailman/listinfo/python-list
