In the db module, we can use statements like the following:
user = db.select("users", what="id,login", where="login=$user AND
password=$pswd", vars=ipt)
We can also do:
user = db.select("users", what="id,login", where="login='{0}' AND
password='{1}'".format(ipt.user, ipt.pswd))
I wonder what is the difference? Did the vars way sanitize (escape)
the input values? The reason I ask is that I used the following:
ids = [1, 2, 3]
db.update("users", status=1, where="id in ($ids)", vars={"ids":",".join
(ids)})
The sql being executed is:
UPDATE users SET status=1 WHERE id IN ('1,2,3')
This is wrong because webpy added quotes to the id list. How can I
prevent or control the adding of quotes? Or, if there is no way to
overcome, I have to use format(), hence this question.
Thanks
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
