On 04Oct2020 02:56, pascal z <barp...@yahoo.com> wrote:
>On Thursday, September 24, 2020 at 4:37:07 PM UTC+2, Terry Reedy wrote:
>> Read
>> https://docs.python.org/3/faq/programming.html#what-is-the-most-efficient-way-to-concatenate-many-strings-together
>
>Thanks for this tip. I do think it's better to use lists than
>concatenate into string variable. However, writing a list to a csv file
>is not something easy. If strings stored into the list have commas and
>single quotes (like song title's), it messes up the whole csv when it
>first meets this. [...]
>[...]
>csv_contents = "%s;%s;%s;%.2f;%.2f;%.2f;%.2f;%s" % (vfolder_path,
>vfile_name, vfolder_path_full, 0.00, 0.00, 0.00,0.00, "folder")
>arr.append([csv_contents])
>[...]
Is there a reaon you're not using the csv module to write and read CSV
files. It knows how to correctly escape values in a number of common
dialects (the default dialect works well).
By composing CSV files with %-formatting (or with any crude string
cormatting) you the exact syntax issue you're describing. Faced with
user supplied data, these issues become "injection attacks", as
exemplified by this XKCD comics:
https://xkcd.com/327/
https://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables
The correct approach here is to have a general and _correct_ formatter
for the values, and to not assemble things with simplistic approaches
like %-formatting.
With databases the standard approach for assembling SQL is to provide
template SQL with the values as arguments, and have the db-specific
driver construct SQL for you. And with CSV files the same applies:
import the csv module and use csv.writer() to general the CSV data; you
just hand the writer an array of values (strings, floats, whatever) and
it takes care of using the correct syntax in the file.
Cheers,
Cameron Simpson <c...@cskk.id.au>
--
https://mail.python.org/mailman/listinfo/python-list
