[SPAM] Re: [mod_python] Problem with html quoted/unquoted

Joshua Ginsberg listspam at flowtheory.net
Tue May 23 08:27:52 EDT 2006


This will work:

c.execute('select foo from bar where baz = %s', (s,))

You are passing two arguments to execute() -- the first being a string 
representing SQL and the second being a tuple of values to be 
substituted in. The execute() method is smart enough to quote where 
necessary.

This will not work:

c.execute('select foo from bar where baz = %s' % (s,))

You are passing a single argument to execute() -- a string that does 
Python string formatting. The execute() method does not have a chance 
to be smart enough to quote where necessary.

In your "quick test on your system" you refer to below, you use the 
first method. In your "I just tried again" you use the second method, 
which is why it fails.

-jag

On May 23, 2006, at 2:22 AM, Wouter van Marle wrote:

> On Tue, 2006-05-23 at 01:49 -0400, Joshua Ginsberg wrote:
>> Wouter --
>>
>> You used % to do string substitution on the first argument to 
>> execute()
>> as opposed to passing a tuple as a second argument to execute().
>
> I don't get your meaning.
> Can you please give me the lines of code as example? Thanks!
>
> Wouter.
>
>>
>> -jag
>>
>> On May 22, 2006, at 11:50 PM, Wouter van Marle wrote:
>>
>>> On Tue, 2006-05-23 at 11:18 +0800, Wouter van Marle wrote:
>>>> On Wed, 2006-05-17 at 18:09 -0400, Jim Gallacher wrote:
>>>>>>> cur.execute("SELECT * FROM base WHERE field = %s", s)
>>>>>>
>>>>>> I have tried this (once) with MySQLdb, and it doesn't seem to work
>>>>> like
>>>>>> that. (v1.2.1g2) Didn't pursue the issue further.
>>>>>
>>>>> You must be doing something wrong. A quick test on my system:
>>>>>
>>>>>>>> s = """This is 'some' stuff with "quotes" and stuff"""
>>>>>>>> cursor.execute('insert into testtable (data) values (%s)', s)
>>>>> 1L
>>>>
>>>> Just tried it for myself - it works now.
>>>
>>> RRrrrriiiiigggghhhttt.... that said.... I just tried again... and now
>>> have a fail. Now I also remember why I didn't use that method yet :)
>>>
>>> - Debian Sarge, MySQLdb 1.2.1g2: works fine.
>>> - Mandriva Linux LE2005 (v10.2), MySQLdb 1.2.1g3: gives SQL error on
>>> this one.
>>>
>>>>>> cursor.execute("INSERT INTO testtable (field1) VALUES ('This is a
>>> string!');")
>>> 1L
>>>>>> cursor.execute("INSERT INTO testtable (field1) VALUES (%s);"% s)
>>>
>>> Traceback (most recent call last):
>>>   File "<pyshell#15>", line 1, in -toplevel-
>>>     cursor.execute("INSERT INTO testtable (field1) VALUES (%s);"% s)
>>>   File "/usr/lib/python2.4/site-packages/MySQLdb/cursors.py", line 
>>> 137,
>>> in execute
>>>     self.errorhandler(self, exc, value)
>>>   File "/usr/lib/python2.4/site-packages/MySQLdb/connections.py", 
>>> line
>>> 33, in defaulterrorhandler
>>>     raise errorclass, errorvalue
>>> ProgrammingError: (1064, 'You have an error in your SQL syntax; check
>>> the manual that corresponds to your MySQL server version for the 
>>> right
>>> syntax to use near \'\'some\' stuff with "quotes" and stuff)\' at 
>>> line
>>> 1')
>>>
>>> - Mandriva Linux 2006.0, MySQLdb 1.2.0final: works fine.
>>>
>>> So there is a serious bug in MySQLdb as well; seems to be the 1.2.1g3
>>> version.
>>>
>>> Wouter.
>>>
>>>> Maybe I had an older version of MySQLdb when testing? I don't know
>>>> anymore. I'll follow your advice and fix my code!
>>>>
>>>> And after that the info in the databases... that's going to be a
>>>> harder
>>>> job.
>>>>
>>>> Wouter.
>>>>
>>>>
>>>> _______________________________________________
>>>> Mod_python mailing list
>>>> Mod_python at modpython.org
>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mod_python mailing list
>>> Mod_python at modpython.org
>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>>
>



More information about the Mod_python mailing list