Doc Flabby wrote: |
You should use parameterised queries eg.
sql like this "Insert INTO table(c1,c2,c3) VALUES (?,?,?)" then bind the parameters with http://www.sqlite.org/c3ref/bind_blob.html This eliminates the need to escape the strings and also has better performance. |
Code: Show/Hide import asss
from pysqlite2 import dbapi2 as sqlite3 class ModuleDataLayer: self.iid = asss.I_MODULE_DB def Open(self): self.conn = sqlite3.connect('/some/database.db') def GetSomeString(self, id): c = self.conn.cursor() c.execute('SELECT some_string FROM some_table WHERE id = ?' id) s = c.fetchone() c.close() return (s,) def InsertSomeData(self, text, number): c = self.conn.cursor() c.execute('INSERT INTO some_table (some_string, foreign_key) VALUES (?, ?)', (text, number)) conn.commit() c.close() def Close(self): self.conn.close() def mm_attach(a): a.module_db = ModuleDataLayer() a.module_db_int = asss.reg_interface(a.module_db, a) def mm_detach(a): try: delattr(a, 'module_db') delattr(a, 'module_db_int') except: pass |
Cheese wrote: |
while we are here,
whats the difference in php between the magic_quotes() and mysqlrealescapestring() functions? ive always assumed that theyre the same, just the 2nd uses a connection to the db somehow... :S |