durusmail: quixote-users: Re: Popularity of Quixote
Popularity of Quixote
2005-10-17
2005-10-17
Re: Popularity of Quixote
2005-10-18
2005-10-19
2005-10-19
2005-10-19
ANN: TURBOZCHERRYPLORAILS
2005-10-19
2005-10-19
2005-10-19
2005-10-22
2005-10-22
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-25
2005-10-26
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
2005-10-27
DateTime quoting in psycopg
2005-10-28
Re: Popularity of Quixote
Ian Bicking
2005-10-27
Paul Moore wrote:
> On 10/27/05, Oleg Broytmann  wrote:
>
>>On Thu, Oct 27, 2005 at 11:56:20AM +0100, Paul Moore wrote:
>>
>>>... and you generally shouldn't paste escaped values into SQL
>>>statements, but rather use bind variables in any case.
>>
>>  Nice theory. Hard in practice. Python DB API drivers are poor at quoting
>>different data types.
>
>
> Wow! How depressing. I only use Oracle, and cx_Oracle is fine at this.
> Not using bind variables is dreadful for performance on Oracle, and
> allows the possibility of SQL injection attacks if you're not
> extremely careful with quotings. Do other DBMSs have similar issues?
>
> I'd have thought that such issues count as bugs - do people raise them
> as such? (I'm not criticising, I just don't know what people's
> expectations are for other systems...)

The drivers for the open source databases use string substitution anyway
(though perhaps at the C level, for a very minor boost), so the
performance difference probably isn't that substantial.

--
Ian Bicking  |  ianb@colorstudy.com  |  http://blog.ianbicking.org
reply