durusmail: quixote-users: Re: Popularity of Quixote
Popularity of Quixote
2005-10-17
2005-10-17
Re: Popularity of Quixote
2005-10-18
2005-10-19
2005-10-19
2005-10-19
ANN: TURBOZCHERRYPLORAILS
2005-10-19
2005-10-19
2005-10-19
2005-10-22
2005-10-22
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-26
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
DateTime quoting in psycopg
2005-10-28
Re: Popularity of Quixote
Shalabh Chaturvedi
2005-10-27
On Oct 26, 2005, at 2:47 AM, m wrote:

>
>
>> PTL is the best new idea from Quixote IMO. I was thinking if it made
>> sense to extend the idea to SQL. For example:
>>
>> class Accounts:
>>     database = 'customer'
>>
>>     def getAccountName [sql] (account_id):
>>         "SELECT name FROM accounts WHERE account_id=%s" % account_id
>>
>> Calling the method would not only create the SQL string but also
>> execute it and return the query results.
>>
>> This would enable very clean Python-oriented database access layers.
>
> it would be hideous
>
> ptl outputs plain text, in what form would expect the result set to be
> in ?
>

An iterator over dictionaries or tuples?

> You would also have to escape the output to take into account newlines
> and tabs etc. in the result set.
>
> As an unbounded mass of text, goodbye memory when 500Mb of plain text
> suddenly gets returned.
>
> What about escaping the parameters.
> In your example the string is auto wrapped in ' ' and how will the
> engine know when to escape % ?
>

This would be SQL-escaped similar to the way HTML is escaped within PTL
currently (i.e. an sqltext object similar to the present htmltext).

> demonstrated here :
>
> t = 'the amount is 20% over 5 years'
>
> "select a from b where c = '%s' or d like '%%%s%%'" % (t, t)
>

The above would fire the SQL:
select a from b where c = 'the amount is 20\% over 5 years' or d like
'%the amount is 20\% over 5 years%'" % (t, t)

This works just like strings, except the SQL characters (like single
quote, percent sign) will be escaped by the % operator on sqltext.

There is definitely one problem with clutter - since % is generally
used a more in SQL than in HTML. This wouldn't replace the DB API, just
be a layer on top. On second thoughts, it doesn't seem to add a whole
lot of functionality, though it does seem to promote a single way of
writing SQL in your code.

Shalabh

reply