Python has an interface like this :
params = { 'mystrfield': 'hello', 'myintfield': 5 }
cursor.execute( "SELECT myfield FROM mytable WHERE
mystrfield=%(foo)s AND myintfield=%(bar)d;" , params )
It has the following advantages :
- separation of sql from data
- named parameters
- no problem with order
- one parameter can be reused several times
- automatic escaping of strings
- automatic enforcement of int, float etc types with %d and %f (throws an
exception otherwise)
The only problem so far with Python's dbapi is that it does not
understand arrays so they have to be stringified first.