Magnus Lycka <[EMAIL PROTECTED]> wrote in news:[EMAIL PROTECTED]:
Thank you for your message I found really illuminating. > Using the same symbol for both string substitutions and SQL placeholder > such as pysqlite 1 and the MySQL interface does, is not really a bright > idea in my opinion. Who thinks this is pretty? > > sql = "SELECT %s FROM %s WHERE %s = %%s" > cur.execute(sql % (col,table,search_col), (param,)) > > I think it's less confusing with: > > sql = "SELECT %s FROM %s WHERE %s = ?" > cur.execute(sql % (col,table,search_col), (param,)) I had never thought about it, I really agree. > Of course, the "proper" way, with %s-substitution for e.g. table > names and ? for parameters is also open for SQL injection attacks > if the values in the strings col, table and search_col above are > user input, but since they are plain SQL identifiers, they are much > easier to check than arbitrary search values. You'd probably have > a set of allowed values, and check that the input was in that > set. They are also less likely to come from an untrusted source. undoubtedly. > As you can see in > http://initd.org/tracker/pysqlite/wiki/PysqliteVersions > you can use pysqlite 1.1 if you want to use the old pysqlite 1 > API. > > Pysqlite2 is documented here: > http://initd.org/pub/software/pysqlite/doc/usage-guide.html yes I had already found the docs and noticed there was no explanation about such a remarkable difference from pysqlite1 and pysqlite2. After your message, I find even more strange that Magnus' book reported pysqlite1 examples as Sqlite 3 was a great step forward in my opinion. But this can not prevent me from saying that it is the best Python book around in the beginner to intermediate range. -- http://mail.python.org/mailman/listinfo/python-list
