db module properly formats arguments, if input arguments are separated fromtable_name and colum_names.... .
columns = ('tID', 'tNote')
table_name = 'tmp'
sql = 'select %s from %s where tID=:1' % ( ', '.join(columns) , table_name)
cursor.execute( sql, (1,))
# sql is now 'select tID, tNote from tmp where tID=:1'
# note the comma in argument tuple to execute (1,)
thanks Edwin
-----Original Message-----
From: python-list-bounces+edwin.m adari=verizonwi reless.com@pyth on.org
[mailto:python-list-bounces+edwin.m adari=verizonwi reless.com@pyth on.org]
On Behalf Of Eric Wertman
Sent: Thursday, August 14, 2008 2:13 PM
To: python-list@python.org
Subject: Re: a question about mysqldb
I also like to use escaped identifiers in cases like this:
sql = "select tID,tNote from %s where %s = %%s" % ("tmp","tID" )
cursor.execute( sql,1)
should work fine.
--
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof. Thank you.
columns = ('tID', 'tNote')
table_name = 'tmp'
sql = 'select %s from %s where tID=:1' % ( ', '.join(columns) , table_name)
cursor.execute( sql, (1,))
# sql is now 'select tID, tNote from tmp where tID=:1'
# note the comma in argument tuple to execute (1,)
thanks Edwin
-----Original Message-----
From: python-list-bounces+edwin.m adari=verizonwi reless.com@pyth on.org
[mailto:python-list-bounces+edwin.m adari=verizonwi reless.com@pyth on.org]
On Behalf Of Eric Wertman
Sent: Thursday, August 14, 2008 2:13 PM
To: python-list@python.org
Subject: Re: a question about mysqldb
I also like to use escaped identifiers in cases like this:
sql = "select tID,tNote from %s where %s = %%s" % ("tmp","tID" )
cursor.execute( sql,1)
should work fine.
--
The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof. Thank you.