durusmail: quixote-users: Re: Popularity of Quixote
Popularity of Quixote
2005-10-17
2005-10-17
Re: Popularity of Quixote
2005-10-18
2005-10-19
2005-10-19
2005-10-19
ANN: TURBOZCHERRYPLORAILS
2005-10-19
2005-10-19
2005-10-19
2005-10-22
2005-10-22
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-26
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
DateTime quoting in psycopg
2005-10-28
Re: Popularity of Quixote
Paul Moore
2005-10-27
On 10/27/05, Oleg Broytmann  wrote:
> On Thu, Oct 27, 2005 at 11:56:20AM +0100, Paul Moore wrote:
> > ... and you generally shouldn't paste escaped values into SQL
> > statements, but rather use bind variables in any case.
>
>   Nice theory. Hard in practice. Python DB API drivers are poor at quoting
> different data types.

Wow! How depressing. I only use Oracle, and cx_Oracle is fine at this.
Not using bind variables is dreadful for performance on Oracle, and
allows the possibility of SQL injection attacks if you're not
extremely careful with quotings. Do other DBMSs have similar issues?

I'd have thought that such issues count as bugs - do people raise them
as such? (I'm not criticising, I just don't know what people's
expectations are for other systems...)

Paul.
reply