On Thursday, August 29, 2013 12:55:36 PM UTC+2, Ian wrote: > On Wed, Aug 28, 2013 at 5:42 AM, Fabrice POMBET <fp2...@gmail.com> wrote: > > > > > > On 8/28/2013 4:57 AM, Piotr Dobrogost wrote: > > > > > >> Having repr(None) == 'None' is sure the right thing but why does str(None) > >> == 'None'? Wouldn't it be more correct if it was an empty string? > > > > > > the point of str(obj) is to return a string containing the obj (a sequence > > of characters if it is unbound or not built-in, etc.)... > > > > > > If you set the rule str(None)=="", then you will cause plenty of problems. > > > > > > For instance, if you want to build a string like request="SELECT X"+"IN > > Y"+"WHERE B="+String(B) > > > to prepare a sequel request, and the field B happens to be sometimes > > "None", you would automatically end up with """SELECT X IN Y WHERE B=''""" > > instead of """SELECT X IN Y WHERE B='None'""", > > > and your sql request will fall into limbos... > > > > The proper way to pass values into a SQL query is by using bind > > parameters. Inserting them into the query string by concatenation is > > error-prone and an excellent way to write code that is vulnerable to > > SQL injection attacks. > > > > The DB API guarantees that the object None will map to the database > > value NULL when passed directly as a parameter. The value returned by > > str(None) is irrelevant in this context.
I could not agree more with you. The purpose of my post, however, was only to give a simple illustration of how such a generic change would make everything awkward, not to give any proper, precise or general directions on how to code a safe SQL request for a DB when you are online. Thank you however for your corrections. -- http://mail.python.org/mailman/listinfo/python-list
