On Wed, 2006-04-19 at 11:38, Gerhard Häring wrote: > Abolishing (py)format certainly means additional work for the module > authors. If we do so - I haven't read the whole thread, so I don't know > what the arguments are for it - then we should include example code in > the DB-API for parsing qmarks out of ANSI SQL statements.
The main argument for abolishing (py)format is that it blurs the line between parameter passing, which is good, and hand-rolling a query via string substitution, which is bad because it invites SQL injections if not done carefully, and it's almost never done carefully. Especially newbies seem to have a problem with telling the two apart and understanding why parameter binding is better than string substitution. Abolishing %s should make it a lot easier to clearly separate the two concepts. Ian also brought up the point that implementations that use (py)format have a rather ugly wart: Literal % signs in queries have to be doubled up to prevent accidental parameter markers. This is ugly and makes writing portable code unnecessarily hard. I agree that if we decide to abolish (py)format, we should help out module authors for databases that don't natively support '?' by providing example code for performing the necessary parsing. -Carsten _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
