On 06/29/2010 06:26 PM, Lawrence D'Oliveiro wrote: >> I'm not sure you understood me correctly, because I advocate >> *not* doing input sanitization. Hard or not -- I don't want to know, >> because I don't want to do it. > > But no-one has yet managed to come up with an alternative that involves less > work.
Your case is still not persuasive. How is using the DB API's placeholders and parameterization more work? It's the same amount of keystrokes, perhaps even less. You would just be substituting the API's parameter placeholders for Python's. In fact with Psycopg2 and the mysql python db apis, it's almost a matter of simply removing the "%" and putting in a comma, turning python's string substitution into a method call. And you can leave out the quotes around where the variables go. If I have to sanitize every input, I have to do it on each and every field on each and every form action. With the DB API doing the work I just do it once, in one place. Is this not easier that manually escaping everything and then embedding it in the query string? I've not used sqlalchemy, but it looks similarly easy. -- http://mail.python.org/mailman/listinfo/python-list
