On Tue, Apr 19, 2011 at 3:22 PM, Dennis Lee Bieber <wlfr...@ix.netcom.com> wrote: > On Mon, 18 Apr 2011 09:44:40 +0100, Tim Golden <m...@timgolden.me.uk> > declaimed the following in gmane.comp.python.general: > > >> sql = "SELECT ... WHERE name LIKE '%' + ? + '%'" >> q = db.cursor () >> q.execute (sql, [response]) >> > That won't work properly either (at least not in MySQLdb -- which > quotes the values put into the placeholder; you'd end up with > '%''value''%'
You'd end up with "... LIKE '%' + 'value' + '%'" which is perhaps overkill (it forces the database engine to concatenate three strings), but at least it's safe. Chris Angelico -- http://mail.python.org/mailman/listinfo/python-list
