On Tue, 2007-08-14 at 10:18 -0400, Mike Meyer wrote: > > How often does an identifier come from an untrusted source? > > Um, how about in every web-based app that has a real search facility? > One that lets the user specify which column(s) they want to check, or > that can search multiple tables?
Even if you take an identifier directly from an untrusted source, nobody is forcing you to stick it into a query unchecked. Anyway, I don't doubt that you often need to put unchecked identifiers from an untrusted source into queries, but I think you're in a very small minority compared to the general population of database application developers. I don't think that the DB-API spec should be weighed down by requiring a feature of such little general use, but you're welcome to write a reusable toolkit module that lives outside of and on top of DB-API. Of course you'll need to code some per-database logic that defines whether the database accepts delimited identifiers and what the delimiter is, but you only need to do this once for every database you plan on supporting. Keep in mind that this is just my opinion, and I don't speak for the entire DB-SIG community. It's your right to post a proposal and ask for a vote. -- Carsten Haese http://informixdb.sourceforge.net _______________________________________________ DB-SIG maillist - DB-SIG@python.org http://mail.python.org/mailman/listinfo/db-sig
