“%s"% 格式 vs “{0}".format() vs “?"格式 [英] "%s" % format vs "{0}".format() vs "?" format
问题描述
在这篇 关于 SQLite 的帖子中,aaronasterling 告诉我
In this post about SQLite, aaronasterling told me that
cmd = "attach \"%s\" as toMerge" % "b.db"
: 是错误的cmd = 'attach "{0}" as toMerge'.format("b.db")
:正确cmd = "attach ? as toMerge";cursor.execute(cmd, ('b.db', ))
: 是对的
cmd = "attach \"%s\" as toMerge" % "b.db"
: is wrongcmd = 'attach "{0}" as toMerge'.format("b.db")
: is correctcmd = "attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))
: is right thing
但是,我认为第一个和第二个是一样的.这三者有什么区别?
But, I've thought the first and second are the same. What are the differences between those three?
推荐答案
"attach \"%s\" as toMerge" % "b.db"
你应该使用 '
而不是 "
,这样你就不必转义了.
You should use '
instead of "
, so you don't have to escape.
您使用了已弃用的旧格式字符串.
You used the old formatting strings that are deprecated.
'attach "{0}" as toMerge'.format("b.db")
这使用了来自较新 Python 版本的新格式字符串功能,如果可能,应使用该功能代替旧版本.
This uses the new format string feature from newer Python versions that should be used instead of the old one if possible.
"attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))
这个完全省略了字符串格式,而是使用了 SQLite 功能,所以这是正确的方法.
This one omits string formatting completely and uses a SQLite feature instead, so this is the right way to do it.
大优势:无SQL注入风险
Big advantage: no risk of SQL injection
这篇关于“%s"% 格式 vs “{0}".format() vs “?"格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!