On Wed, Aug 28, 2013 at 5:42 AM, Fabrice POMBET <fp2...@gmail.com> wrote: > > On 8/28/2013 4:57 AM, Piotr Dobrogost wrote: > >> Having repr(None) == 'None' is sure the right thing but why does str(None) >> == 'None'? Wouldn't it be more correct if it was an empty string? > > the point of str(obj) is to return a string containing the obj (a sequence of > characters if it is unbound or not built-in, etc.)... > > If you set the rule str(None)=="", then you will cause plenty of problems. > > For instance, if you want to build a string like request="SELECT X"+"IN > Y"+"WHERE B="+String(B) > to prepare a sequel request, and the field B happens to be sometimes "None", > you would automatically end up with """SELECT X IN Y WHERE B=''""" instead of > """SELECT X IN Y WHERE B='None'""", > and your sql request will fall into limbos...
The proper way to pass values into a SQL query is by using bind parameters. Inserting them into the query string by concatenation is error-prone and an excellent way to write code that is vulnerable to SQL injection attacks. The DB API guarantees that the object None will map to the database value NULL when passed directly as a parameter. The value returned by str(None) is irrelevant in this context. -- http://mail.python.org/mailman/listinfo/python-list
