Paul DuBois wrote:
> At 8:43 PM -0500 6/11/07, Carl Karsten wrote:
>> This is kinda OT, so feel free to tell me where to go :)
>>
>> I just noticed that python's mysql bindings combine commands and
>> parameters before they get sent to the server:
>>
>> def execute(self, query, args=None):
>> ...
>> if args is not None:
>> query = query % db.literal(args)
>>
>> Unless I'm mistaken, this is in general: bad.
>>
>> I would like to bring it to someone's attention in hopes that it will
>> be improved, but first I need to make a case for why.
>
> You might begin by demonstrating some actual bugs with the current
> code. Have you found some? I'm sure that Andy would appreciate
> hearing about them if so.
>
> Otherwise, you might find yourself in the position of arguing,
> "well, yes, MySQLdb works, but I think you should change it anyway."
I agree, but
A) not sure there are any (but that doesn't make it bad, which I think it has
been deemed 'bad' by qualified people - or person: Chad. thanks Chad.)
B) too often that just leads to the bugs being fixed, but not addressing the
overall bad design; in this case "don't mix code with data"
>
>>
>> What I am looking for is a write up on why keeping parameters separate
>> is important. I think I know, but I am not a reliable source. so
>> something on mysql.com or from a mysql dev would carry a bit more weight.
>
In response to Chad's
>I suspect you can make this argument, Carl. Research what prepared statements
are for.
Over on the python db list http://mail.python.org/mailman/listinfo/db-sig
various arguments are being made, and the signal to noise is pretty good. But I
am not sure people are listening, and I think it is because the people talking
don't have some 'status.' That is why I am looking for something backed by more
than just a single author. Something that has gone though the whole "published"
process: written, edited, reviewed by more than one person, then made public
by someone who's reputation is at stake, so they would not want to publish
rubbish.
Carl K
