On 19/02/2015 00:08, Mario Figueiredo wrote:
Parameterized queries is just a pet peeve of mine that I wish to include here. SQLite misses it and I miss the fact SQLite misses it. The less SQL one needs to write in their code, the happier one should be.
https://docs.python.org/3/library/sqlite3.html#module-sqlite3 paragraphs seven and eight.
"Usually your SQL operations will need to use values from Python variables. You shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack (see http://xkcd.com/327/ for humorous example of what can go wrong).
Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method. (Other database modules may use a different placeholder, such as %s or :1.) For example:..."
-- My fellow Pythonistas, ask not what our language can do for you, ask what you can do for our language. Mark Lawrence -- https://mail.python.org/mailman/listinfo/python-list
