Forum: Too Lazy BBS

Escaping Strings

From Lawrence D'Oliveiro@ldo@nz.invalid to comp.databases.mysql on Mon Jul 15 22:46:15 2024

From Newsgroup: comp.databases.mysql

In standard SQL, backslashes have no special significance. String literals
are delimited by single quotes, and any characters (except single quotes)
are allowed in them; to include a single quote in the string, write it
twice.

So in Python, this expression is sufficient to turn a string rCLsrCY into a standard SQL string literal:

"'" + s.replace("'", "''") + "'"
--- Synchronet 3.21d-Linux NewsLink 1.2

From J.O. Aho@user@example.net to comp.databases.mysql on Mon Aug 19 11:24:06 2024

From Newsgroup: comp.databases.mysql

On 16/07/2024 00.46, Lawrence D'Oliveiro wrote:

In standard SQL, backslashes have no special significance. String literals are delimited by single quotes, and any characters (except single quotes)
are allowed in them; to include a single quote in the string, write it
twice.

So in Python, this expression is sufficient to turn a string rCLsrCY into a standard SQL string literal:

"'" + s.replace("'", "''") + "'"

I would looked into using parameterized queries, here is a python example https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/
--
//Aho
--- Synchronet 3.21d-Linux NewsLink 1.2

From Lawrence D'Oliveiro@ldo@nz.invalid to comp.databases.mysql on Fri Aug 23 02:33:36 2024

From Newsgroup: comp.databases.mysql

On Mon, 19 Aug 2024 11:24:06 +0200, J.O. Aho wrote:

I would looked into using parameterized queries ...

There are lots of cases they donrCOt handle. Like for example LIKE and
REGEXP operands.
--- Synchronet 3.21d-Linux NewsLink 1.2

From J.O. Aho@user@example.net to comp.databases.mysql on Fri Aug 23 07:52:38 2024

From Newsgroup: comp.databases.mysql

On 23/08/2024 04.33, Lawrence D'Oliveiro wrote:

On Mon, 19 Aug 2024 11:24:06 +0200, J.O. Aho wrote:

I would looked into using parameterized queries ...

There are lots of cases they donrCOt handle. Like for example LIKE and
REGEXP operands.

LIKE:
select * from table where column1 like ?;

you have the %'s in the parameterized value.

If you have issues, you can always use functions or store procedures
which you use with parametrization.
--
//Aho

--- Synchronet 3.21d-Linux NewsLink 1.2

From Lawrence D'Oliveiro@ldo@nz.invalid to comp.databases.mysql on Sat Aug 24 22:49:38 2024

From Newsgroup: comp.databases.mysql

On Fri, 23 Aug 2024 07:52:38 +0200, J.O. Aho wrote:

On 23/08/2024 04.33, Lawrence D'Oliveiro wrote:

On Mon, 19 Aug 2024 11:24:06 +0200, J.O. Aho wrote:

I would looked into using parameterized queries ...

There are lots of cases they donrCOt handle. Like for example LIKE and
REGEXP operands.

LIKE:
select * from table where column1 like ?;

Like: you want to do a partial match on what the user typed. And what
the user typed can include characters like rCL%rCY and rCL_rCY, which you donrCOt want to be mistaken for wildcards.

Another example: can your parameterized queries handle dynamic SQL
like this?

for artwork_url, timestamp in \
db_iter \
(
conn = db,
cmd =
"select artworks.artwork_url as artwork_url,"
" %(func)s(artwork_stats.timestamp) as timestamp"
" from artworks inner join artwork_stats on"
" artworks.artwork_url = artwork_stats.artwork_url"
" group by artwork_stats.artwork_url"
" order by timestamp %(order)s"
%
{
"func" : ("min", "max")[which == "latest"],
"order" : ("asc", "desc")[which == "earliest"],
}
) \
:
sys.stdout.write \
(
"%s %s\n"
%
(artwork_url, format_timestamp(timestamp))
)
#end for
--- Synchronet 3.21d-Linux NewsLink 1.2

From J.O. Aho@user@example.net to comp.databases.mysql on Sun Aug 25 09:27:30 2024

From Newsgroup: comp.databases.mysql

On 25/08/2024 00.49, Lawrence D'Oliveiro wrote:

On Fri, 23 Aug 2024 07:52:38 +0200, J.O. Aho wrote:

On 23/08/2024 04.33, Lawrence D'Oliveiro wrote:

On Mon, 19 Aug 2024 11:24:06 +0200, J.O. Aho wrote:

I would looked into using parameterized queries ...

There are lots of cases they donrCOt handle. Like for example LIKE and
REGEXP operands.

LIKE:
select * from table where column1 like ?;

Like: you want to do a partial match on what the user typed. And what
the user typed can include characters like rCL%rCY and rCL_rCY, which you donrCOt want to be mistaken for wildcards.

Another example: can your parameterized queries handle dynamic SQL
like this?

did you try to wrap it into a stored procedure?

--- Synchronet 3.21d-Linux NewsLink 1.2

From Lawrence D'Oliveiro@ldo@nz.invalid to comp.databases.mysql on Thu Sep 5 06:11:19 2024

From Newsgroup: comp.databases.mysql

On Sun, 25 Aug 2024 09:27:30 +0200, J.O. Aho wrote:

On 25/08/2024 00.49, Lawrence D'Oliveiro wrote:

Another example: can your parameterized queries handle dynamic SQL like
this?

did you try to wrap it into a stored procedure?

ThatrCOs a rCLnorCY, then.
--- Synchronet 3.21d-Linux NewsLink 1.2

Who's Online
Recent Visitors
- Sykotik
  Tue Apr 14 16:22:53 2026
  from Canada via Telnet
- Morningstarr
  Sun Apr 12 15:27:15 2026
  from Concord, Nc via Telnet
- Rixter
  Fri Apr 3 06:57:42 2026
  from Madison, Nc via SSH
- Voltman
  Wed Apr 1 11:17:50 2026
  from Calgary, Alberta via Telnet

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	63
Nodes:	6 (0 / 6)
Uptime:	492975:35:03
Calls:	840
Files:	1,301
D/L today:	16 files (28,385K bytes)
Messages:	264,959