On Mon, 9 Nov 2020 at 02:49, Vladimir Ryabtsev <greatvovan@gmail.com> wrote:
>
> A wild idea: support both client-side (like in psycopg2) and server-side binding. Keep old '%s' syntax and provide a
separatemethod for client-side binding (not in 'cur.execute()'). This could alleviate cases like parameters
roundtrippingand other cases of safe query composition. At the same time use '$N' for true server-side binding.
> Is it an overcomplication or there are valid use-cases of that?
Such a thing exists already: there is a client-side binding library,
which is pretty much a direct porting of the psycopg2.sql module
(https://www.psycopg.org/docs/sql.html). Using that facility, you can
compose argument client-side with `query = sql.SQL("select {},
%s").format("hello")` and pass the above to `cursor.execute(query,
[42]). It uses `{}` and `{name}`-style parameters to bind client-side
so it leaves %s placeholders untouched for execute().
In psycopg3 I've made it slightly easier to use by letting
`SQL.format()` to accept any Python object, and automatically wrapping
it into a `Literal()` object, whereas in psycopg2 `format()` only
accepted "`Composible`" objects, and you should have written the above
as `sql.SQL("select {}, %s").format(Literal("hello"))`.
-- Daniele