Lawrence D'Oliveiro <[EMAIL PROTECTED]> wrote:
> In message <[EMAIL PROTECTED]>, Duncan Booth
> wrote:
>
>> Lawrence D'Oliveiro <[EMAIL PROTECTED]> wrote:
>>
>>> def EscapeSQLWild(Str) :
>>> """escapes MySQL pattern wildcards in Str."""
>>> Result = []
>>> for Ch in str(Str) :
>>> if Ch == "%" or Ch == "_" :
>>> Result.append("\\")
>>> #end if
>>> Result.append(Ch)
>>> #end for
>>> return "".join(Result)
>>> #end EscapeSQLWild
>>
>> That doesn't quite work. If you want to stop wildcards being
>> interpreted as such in a string used as a parameter to a query, then
>> you have to escape the escape character as well.
>
> That's part of the separation of function. Note that the above
> function does not generate a MySQL string literal: you must still put
> it through the previously-defined SQLString routine, which will
> automatically escape all the specials added by EscapeSQLWild.
>
You are still missing the point. I'm not talking about generating a MySQL
string literal, I'm talking about preventing wildcards characters having
their special meaning when using the string as a parameter in
cursor.execute. You still have to escape the escape character, and you have
to do that before or at the same time as you escape the wildcards. No
string literals are involved anywhere.
Calling the SQLString routine in this situation would be wrong because it
would escape characters such as newline which must not be escaped.
--
http://mail.python.org/mailman/listinfo/python-list
