On Mon, Jun 09, 2008 at 12:54:09PM +0200, Diez B. Roggisch wrote: > I'm actually less than satisfied with the way SO currently deals with > parameters - because it essentially does the escaping itself, and then > creates full SQL-statements. > > The better way to go would of course be to use the parametrized version of > cursor.execute, which should shift the problem (if it persisted) to the > db-adapter itself. > > However, this would mean a rather major rewrite of sqlbuilder. Yet I do > believe it's worth it, because otherwise we open up for SQL injection attacks > and similar problems.
Not only sqlbuilder - dbconnection and derivatives. I tried to do this in the private branch http://svn.colorstudy.com/home/phd/SQLObject/paramstyles (see dbconnection.py, class DBAPI, method _executeRetry; also see http://svn.colorstudy.com/home/phd/SQLObject/paramstyles/sqlobject/include/DBSingleStyle.py). The work partially failed because different DB API drivers has issues with data types - PySQLite1 does interpolation itself simply by doing "%s" % param, PySQLite2 has (or at least had problems with mxDateTime), psycopg had problems with datetime. The second problem is that the work has to be resynchronised with the work of Luke Opperman in 0.10.0, and that's rather big job. Oleg. -- Oleg Broytmann http://phd.pp.ru/ [EMAIL PROTECTED] Programmers don't die, they just GOSUB without RETURN. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ sqlobject-discuss mailing list sqlobject-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
