This is kinda OT, so feel free to tell me where to go :)
I just noticed that python's mysql bindings combine commands and parameters
before they get sent to the server:
def execute(self, query, args=None):
...
if args is not None:
query = query % db.literal(args)
Unless I'm mistaken, this is in general: bad.
I would like to bring it to someone's attention in hopes that it will be
improved, but first I need to make a case for why.
What I am looking for is a write up on why keeping parameters separate is
important. I think I know, but I am not a reliable source. so something on
mysql.com or from a mysql dev would carry a bit more weight.
Carl K
