>data = "">>data['start_date'] = '2005-6-2'
>data['last_name'] = 'Johnson'
>
>query = '''
> SELECT *
> FROM my_table
> WHERE date >= '%(start_date)s'
> AND last_name = '%(last_name)s'
>''' % data
>results = my_database.Execute(query)
First up. This is a "bad idea".
It may be ok now, as long as you have absolute control
over what start_date and last_name are, but what about
next week when you decide ... "let's allow the user to put
in the dates for start_date" and they make start_date
"'6-2-05'; DELETE FROM my_table; SELECT * FROM my_table
WHERE date='6-2-05' "
Instead, use the arg quoting mechanism from the db
interface you are using. You don't say which one that
is, but it should look something like ...
data = "">data['start_date'] = '2005-6-2'
data['last_name'] = 'Johnson'
query = '''
SELECT *
FROM my_table
WHERE date >= '%(start_date)s'
AND last_name = '%(last_name)s'
'''
results = my_database.execute(query, data)
Very nice. Thank-you.
--greg
_______________________________________________ Tutor maillist - [email protected] http://mail.python.org/mailman/listinfo/tutor
