On Tue, Oct 13, 2009 at 11:49 AM, Serdar Tumgoren <zstumgo...@gmail.com> wrote: >> In reference to this tip, my question is why? > >> - don't use string formatting to create SQL statements - use the >> two-argument form of execute() to pass args as a sequence >> > > SQL injection is the primary reason: > > http://en.wikipedia.org/wiki/SQL_injection
And the classic xkcd: http://xkcd.com/327/ I'm not sure about this, but I think there is also a possible performance boost if you are executing the same SQL with different parameters; if the parameters are not part of the SQL then there is some pre-processing that can be cached and re-used. Kent _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
