On Jul 23, 10:46 pm, Димка Платон <[email protected]> wrote:
> Thanks.
> One more question.
> What is about escape_string?
> I tried to use
> cur.escape_string(my_var)
> and get error
> AttributeError: 'DictCursor' object has no attribute 'escape_string'.
escape_string() is on the connection object (not the cursor), but you
probably shouldn't use it anyhow. In general you should just use %s
as placeholder and pass your arguments as a tuple second argument.
The driver will do the work of escaping things for you (correctly
encoding things by type):
cur.execute("SELECT foo FROM bar_table WHERE col1=%s AND col2=%s", (1,
'yadda'))
This is also critically important in web applications in general since
it is the best way to avoid SQL injection attacks that happen when you
do your own escaping or use regular python %-style string formatting.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"pylons-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/pylons-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
