Lawrence D'Oliveiro wrote: > In message <mailman.2376.1257005738.2807.python-l...@python.org>, Carsten > Haese wrote: > >> Lawrence D'Oliveiro wrote: >> >>> In message <mailman.2357.1256964121.2807.python-l...@python.org>, Dennis >>> Lee Bieber wrote: >>> >>>> This way regular string interpolation operations (or whatever Python >>>> 3.x has replaced it with) are safe to construct the SQL, leaving only >>>> user supplied (or program generated) data values to be passed via the >>>> DB-API parameter system -- so that they are properly escaped and >>>> rendered safe. >>> Mixing the two is another recipe for confusion and mistakes. >> Mixing the two is necessary. >> ... >> As long as you understand what you're doing, there should be no confusion. >> (And if you don't understand what you're doing, you shouldn't be doing >> it!) > > But if you understand what you're doing, you don't need to mix the two.
Are we talking about the same thing here? I thought we're talking about string interpolation and parameter binding, and I explained that mixing those two is necessary if you have a query in which the "movable" bits are identifiers or other syntax elements. On what grounds are you asserting that it's not necessary to mix the two? Please elaborate your point. -- Carsten Haese http://informixdb.sourceforge.net -- http://mail.python.org/mailman/listinfo/python-list
