Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #53238 > unrolled thread

Re: Rép : Why is str(None) == 'None' and not an empty string?

Back to article view | Back to comp.lang.python

This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by below is the oldest one visible, not the original post.

Contents

  Re: Rép : Why is str(None) == 'None' and not an empty string? Ian Kelly <ian.g.kelly@gmail.com> - 2013-08-29 04:55 -0600
    Re: Rép : Why is str(None) == 'None' and not an empty string? fp2161@gmail.com - 2013-08-29 13:09 -0700

#53238 — Re: Rép : Why is str(None) == 'None' and not an empty string?

On Wed, Aug 28, 2013 at 5:42 AM, Fabrice POMBET <fp2161@gmail.com> wrote:
>
> On 8/28/2013 4:57 AM, Piotr Dobrogost wrote:
>
>> Having repr(None) == 'None' is sure the right thing but why does str(None) == 'None'? Wouldn't it be more correct if it was an empty string?
>
> the point of str(obj) is to return a string containing the obj (a sequence of characters if it is unbound or not built-in, etc.)...
>
> If you set the rule str(None)=="", then you will cause plenty of problems.
>
> For instance, if you want to build a string like request="SELECT X"+"IN Y"+"WHERE B="+String(B)
> to prepare a sequel request, and the field B happens to be sometimes "None", you would automatically end up with """SELECT X IN Y WHERE B=''""" instead of """SELECT X IN Y WHERE B='None'""",
> and your sql request will fall into limbos...

The proper way to pass values into a SQL query is by using bind
parameters. Inserting them into the query string by concatenation is
error-prone and an excellent way to write code that is vulnerable to
SQL injection attacks.

The DB API guarantees that the object None will map to the database
value NULL when passed directly as a parameter.  The value returned by
 str(None) is irrelevant in this context.

[toc] | [next] | [standalone]

#53253

On Thursday, August 29, 2013 12:55:36 PM UTC+2, Ian wrote:
> On Wed, Aug 28, 2013 at 5:42 AM, Fabrice POMBET <fp2161@gmail.com> wrote:
> 
> >
> 
> > On 8/28/2013 4:57 AM, Piotr Dobrogost wrote:
> 
> >
> 
> >> Having repr(None) == 'None' is sure the right thing but why does str(None) == 'None'? Wouldn't it be more correct if it was an empty string?
> 
> >
> 
> > the point of str(obj) is to return a string containing the obj (a sequence of characters if it is unbound or not built-in, etc.)...
> 
> >
> 
> > If you set the rule str(None)=="", then you will cause plenty of problems.
> 
> >
> 
> > For instance, if you want to build a string like request="SELECT X"+"IN Y"+"WHERE B="+String(B)
> 
> > to prepare a sequel request, and the field B happens to be sometimes "None", you would automatically end up with """SELECT X IN Y WHERE B=''""" instead of """SELECT X IN Y WHERE B='None'""",
> 
> > and your sql request will fall into limbos...
> 
> 
> 
> The proper way to pass values into a SQL query is by using bind
> 
> parameters. Inserting them into the query string by concatenation is
> 
> error-prone and an excellent way to write code that is vulnerable to
> 
> SQL injection attacks.
> 
> 
> 
> The DB API guarantees that the object None will map to the database
> 
> value NULL when passed directly as a parameter.  The value returned by
> 
>  str(None) is irrelevant in this context.

I could not agree more with you. The purpose of my post, however, was only to give a simple illustration of how such a generic change would make everything awkward, not to give any proper, precise or general directions on how to code a safe SQL request for a DB when you are online. Thank you however for your corrections.

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.python

csiph-web