On Jun 2, 5:06 pm, Peter Otten <[EMAIL PROTECTED]> wrote: > You are taking the wrong approach here. > > Don't build SQL statements as strings; you are enabling the next SQL > injection attack. Pass parameters using the DB API instead. > > Don't use regular expressions to parse a CSV file. Python's csv module is > more likely to deal correctly with the quirks of that standard. >
I'd like to second both these statements. Regardless of whether these CSV files are from a trusted source or not, it's a virtual truism of programming that eventually, any application will be used in ways it was not intended. Since using a parameterized query is a simple way to avoid a common security hole, even if such a thing could never be exploited by the app in its current configuration, you should do things the Right Way. That way, even if your code is twisted to some other use in the future, it's less likely to cause problems. -- http://mail.python.org/mailman/listinfo/python-list
