On 10/27/05, Oleg Broytmannwrote: > On Thu, Oct 27, 2005 at 11:56:20AM +0100, Paul Moore wrote: > > ... and you generally shouldn't paste escaped values into SQL > > statements, but rather use bind variables in any case. > > Nice theory. Hard in practice. Python DB API drivers are poor at quoting > different data types. Wow! How depressing. I only use Oracle, and cx_Oracle is fine at this. Not using bind variables is dreadful for performance on Oracle, and allows the possibility of SQL injection attacks if you're not extremely careful with quotings. Do other DBMSs have similar issues? I'd have thought that such issues count as bugs - do people raise them as such? (I'm not criticising, I just don't know what people's expectations are for other systems...) Paul.