Paul Moore wrote: > On 10/27/05, Oleg Broytmannwrote: > >>On Thu, Oct 27, 2005 at 11:56:20AM +0100, Paul Moore wrote: >> >>>... and you generally shouldn't paste escaped values into SQL >>>statements, but rather use bind variables in any case. >> >> Nice theory. Hard in practice. Python DB API drivers are poor at quoting >>different data types. > > > Wow! How depressing. I only use Oracle, and cx_Oracle is fine at this. > Not using bind variables is dreadful for performance on Oracle, and > allows the possibility of SQL injection attacks if you're not > extremely careful with quotings. Do other DBMSs have similar issues? > > I'd have thought that such issues count as bugs - do people raise them > as such? (I'm not criticising, I just don't know what people's > expectations are for other systems...) The drivers for the open source databases use string substitution anyway (though perhaps at the C level, for a very minor boost), so the performance difference probably isn't that substantial. -- Ian Bicking | ianb@colorstudy.com | http://blog.ianbicking.org