> Currently I'm working around this by duplicating the > backslash in python, which generates the same error from postgres but > actually returns records beginning with a single backslash. It looks like > postgres has a special E'' syntax for escaping which I don't entirely > understand, but would it make sense for SQLObject to be using that in the > future?
I'm actually less than satisfied with the way SO currently deals with parameters - because it essentially does the escaping itself, and then creates full SQL-statements. The better way to go would of course be to use the parametrized version of cursor.execute, which should shift the problem (if it persisted) to the db-adapter itself. However, this would mean a rather major rewrite of sqlbuilder. Yet I do believe it's worth it, because otherwise we open up for SQL injection attacks and similar problems. Diez ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ sqlobject-discuss mailing list sqlobject-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
