On 2017-03-02 09:55, Christian Gollwitzer wrote:
> you could do it "the (theoretical) right way", which is using
> another table. Insert your keys into a table, maybe temporary one,
> and then do
>
> select * from mumble where key in (select key from keytable)
>
> In theory that should also be fa
Am 28.02.17 um 18:28 schrieb Skip Montanaro:
Most of the time (well, all the time if you're smart), you let the
database adapter do parameter substitution for you to avoid SQL
injection attacks (or stupid users). So:
curs.execute("select * from mumble where key = ?", (key,))
If you want to
On 28.02.17 19:28, Skip Montanaro wrote:
Most of the time (well, all the time if you're smart), you let the
database adapter do parameter substitution for you to avoid SQL
injection attacks (or stupid users). So:
curs.execute("select * from mumble where key = ?", (key,))
If you want to sele
On 2017-03-01 04:40, Chris Angelico wrote:
> curs.execute("select * from mumble where key in (" +
> ",".join(["?"]*len(keys)) + ")", keys)
>
> If this is combined with another parameter, it'd be messier, but you
> could do something like:
>
> curs.execute("select * from mumble where key in (" +
>
On 2017-02-28, Skip Montanaro wrote:
> Some database adapters provide a function to do explicit
> substitution (e.g., mySQLdb.escape, psycopg2._param_escape),
> but the sqlite3 adapter doesn't.
It's clunky but you can use sqlite's core "quote" function.
quote(X)
The quote(X) function returns
On Tue, Feb 28, 2017 at 12:42 PM, Chris Angelico wrote:
> That isn't what you were doing in your post, so it seemed worth
> mentioning.
Sorry, my original post was a bit abbreviated. I can't copy text from
inside to outside, so have to retype everything. I guess I missed
that.
S
--
https://mail
On Wed, Mar 1, 2017 at 5:40 AM, Skip Montanaro wrote:
> On Tue, Feb 28, 2017 at 11:40 AM, Chris Angelico wrote:
>> Testing with PostgreSQL (which *does* transform lists) suggests that
>> "in" doesn't work; I used "key = any(%s)". I'd try that with sqlite3
>> first, just in case it makes a differe
On Tue, Feb 28, 2017 at 11:40 AM, Chris Angelico wrote:
> Testing with PostgreSQL (which *does* transform lists) suggests that
> "in" doesn't work; I used "key = any(%s)". I'd try that with sqlite3
> first, just in case it makes a difference. Probably it won't, but
> worth a try.
Yeah, doesn't wo
Skip Montanaro wrote:
> Most of the time (well, all the time if you're smart), you let the
> database adapter do parameter substitution for you to avoid SQL
> injection attacks (or stupid users). So:
>
> curs.execute("select * from mumble where key = ?", (key,))
>
> If you want to select fro
On Wed, Mar 1, 2017 at 4:28 AM, Skip Montanaro wrote:
> Some database adapters provide a function to do explicit substitution
> (e.g., mySQLdb.escape, psycopg2._param_escape), but the sqlite3
> adapter doesn't. Is there a function floating around out there which
> does the right thing, allowing yo
Most of the time (well, all the time if you're smart), you let the
database adapter do parameter substitution for you to avoid SQL
injection attacks (or stupid users). So:
curs.execute("select * from mumble where key = ?", (key,))
If you want to select from several possible keys, it would be
11 matches
Mail list logo
