The DB-API doesn't support sets directly, so you wind up having to
manually expand them:

>>> curs.execute("select count(*) from sometable where somecol in ?", 
>>> ({4126,11638},))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
sqlite3.OperationalError: near "?": syntax error
>>> curs.execute("select count(*) from sometable where somecol in (?)", 
>>> ({4126,11638},))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
sqlite3.InterfaceError: Error binding parameter 0 - probably unsupported type.

>>> curs.execute("select count(*) from sometable where somecol in (11638, 
>>> 4126)")
<sqlite3.Cursor object at 0x7f8ef5f6c570>

In the example above, I'm able to skip input validation because the
element values in the set are ints, but programmers being the lazy
sort that they are, when such values are strings there's probably also
the tendency to skip argument escaping.

A quick check on bugs.python.org as well as Google yielded no obvious
earlier discussion. Is it simply that underlying database drivers are
unable to support this or was DB-API 2.0 frozen (no pun intended)
before sets were available or in wide use in Python?

Set support and the SQL "in" operator would seem to be handy, both as
a convenience and as a barrier to SQL injection errors.

Skip
_______________________________________________
Python-ideas mailing list
Python-ideas@python.org
https://mail.python.org/mailman/listinfo/python-ideas
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to