Re: [Pypgsql-users] Prepared Statements

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Exactly.

I'm writing an app with a web-based interface and I've made myself a load of 
objects that all inherit from a base class called Field. I can call a method 
and the Field will return HTML code to edit itself, if it is a DateField that 
will consist of some listboxes, for booleans a checkbox.

I then have some business objects which carry a list of fields. When I tell 
the business object to write itself to the database it constructs a query 
along of the lines of:

sql = "UPDATE %s SET " % bizobj.table
for field in bizobj.fields:
	sql += "%s = '%s' " % (field.name, field.value)
sql += ";"

When I accept input from the web I don't want someone attempting to inject 
their own SQL, nor do I want the query to fail if they type a character that 
needs escaping e.g. '

I could write a function to check all this myself but I'd rather use what's in 
pyPgSQL.

ByteA fields are causing me problems using the approach above, I get the 
following error when field.value is contains PgSQL.PgBytea( binary_data):

TypeError: query() argument 1 must be string without null bytes, not str

I'm not sure how to solve it.

Thanks,

Ben.

On Monday 14 Apr 2003 12:22 pm, Karsten Hilbert wrote:
> Ben,
>
> you mean like
>
> sql = "SELECT wibble FROM wobble "
>
> if foo:
>     sql += " WHERE somefield = '%s';" % some_variable
> elif bar:
>     sql += " WHERE someotherfield = '%s';" % some_other_variable
>
> ?
>
> Karsten