In message <mailman.2397.1257034364.2807.python-l...@python.org>, Carsten Haese wrote:
> Lawrence D'Oliveiro wrote: > >> In message <mailman.2376.1257005738.2807.python-l...@python.org>, Carsten >> Haese wrote: >> >>> Lawrence D'Oliveiro wrote: >>> >>>> In message <mailman.2357.1256964121.2807.python-l...@python.org>, >>>> Dennis Lee Bieber wrote: >>>> >>>>> This way regular string interpolation operations (or whatever Python >>>>> 3.x has replaced it with) are safe to construct the SQL, leaving only >>>>> user supplied (or program generated) data values to be passed via the >>>>> DB-API parameter system -- so that they are properly escaped and >>>>> rendered safe. >>>> >>>> Mixing the two is another recipe for confusion and mistakes. >>> >>> Mixing the two is necessary. >>> ... >>> As long as you understand what you're doing, there should be no >>> confusion. (And if you don't understand what you're doing, you shouldn't >>> be doing it!) >> >> But if you understand what you're doing, you don't need to mix the two. > > On what grounds are you asserting that it's not necessary to mix the > two? Please elaborate your point. On the grounds that Python has more general and powerful string parameter- substitution mechanisms than anything built into any database API. -- http://mail.python.org/mailman/listinfo/python-list
