<russell@keith-magee.com> wrote:
>
>So - in order for Django to provide a 100% guaranteed correct output for Queryset.query.__str()__, we would need to re-implement the quoting and escaping feature of the PyDB backend -- and we'd need to do so for every backend (because quoting and escaping requirements are slightly different for every backend). This would be complex to implement, would be error prone, and would lead to even more confusing errors whenever the quoting/escaping failed to implement exactly what the PyDB backend implements.
This ignores the facet that some of the DB-API level adapters do
actual parameterized queries at the database engine level. That is, the
engine supports compiled/parameterized SQL and is invoked with a packet
containing the real values as an array of values. NO quoting performed
at the client end.
MySQLdb, however, is one that does do quoting/escaping in the
client. Prior to MySQL v5, MySQL only supported complete SQL statements
-- sent as text; v5 finally added support for compiled SQL in which the
parameters are sent as an array of values to the engine. But for
compatibility, MySQLdb probably ignores that capability. {This is also
why MySQLdb uses the %s placeholder -- at the bottom end it just does
statement = SQL % escape(parameters)
where escape() is a function that converts the argument to a string
representation, scans the string for verboten values and escapes them,
and finally wraps the whole string value in a pair of quotes.
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment