You&#39;re doing it wrong. Literally. You should be using parameters, like this:

    c.execute(&quot;UPDATE movies SET rating = ? WHERE name = ?&quot;, (8.7, &quot;&#39;Allo &#39;Allo! (1982)&quot;))

Like that, you won&#39;t need to do *any* quoting at all and (if those values are coming from anyone untrusted) you&#39;ll be 100% safe (here) from SQL injection attacks too.

&gt; I use re.escape(title) to add escape
&gt; chars into the strings to make them db
&gt; safe

Note that `re.escape` makes a string **re**-safe -- nothing to do with making it **db** safe.  Rather, as @Donal says, what you need is the _parameter substitution_ concept of the Python DB API -- **that** makes things &quot;db safe&quot; as you need.

SQLite doesn&#39;t support backslash escape sequences.  Apostrophes in string literals are indicated by doubling them: `&#39;&#39;&#39;Allo &#39;&#39;Allo! (1982)&#39;`.

But, like Donal said, you should be using parameters.

I&#39;ve one simple tip you could use to handle this problem:
When your SQL statement string has single quote:&#39;, then you could use double quote to enclose your statement string. And when your SQL statement string has double quotes:&quot;, then you could use single quote:&quot; to enclose your statement string.
E.g.

    sqlString=&quot;UPDATE movies SET rating = &#39;8.7&#39; WHERE name=&#39;Allo Allo !&#39; (1982 )&quot;
    c.execute(sqlString)

Or,

    sqlString=&#39;UPDATE movies SET rating = &quot;8.7&quot; WHERE name=&quot;Allo Allo !&quot; (1982 )&#39;
    c.execute(sqlString)

This solution works for me in Python environment.



I&#39;m currently faced with a very unusual design problem, and hope that a developer wiser than myself might be able to offer some insight.

Background
-----------
Without being too specific, I&#39;ve been hired by a non-profit organisation to assist with the redevelopment of their legacy, but very valuable (in terms of social value) software. The development team is unlike any I&#39;ve encountered in my time as a software developer, and is comprised of a small number of developers and a larger group of non-programming domain experts. What makes the arrangement unusual is that the domain experts (lets call them content creators), use custom tooling, some of which is based around a prolog expert system engine, to develop web based software components/forms.

The Problem
-----------
The system uses a very awkward postback model to perform logical operations server side and return new forms/results. It is slow, and prone to failure. Simple things, like creating html forms using the existing tooling is *much* more arduous than it should be. As the demand for a more interactive, and performant experience grows, the software developers are finding increasingly that they have to circumvent the expert system/visual tooling used by the content creators, and write new components by hand in javascript. The content creators feel increasingly that their hands are tied, as they are now unable to contribute new components.


Design approach: Traditional/Typical
-----------------------------------
I have been advocating for the complete abandonment of the previous model and the adoption of a typical software development process. As mentioned earlier, the project has naturally evolved towards this as the non-programmatic development tooling has become incapable of meeting the needs of the business. 

The content creators have a very valuable contribution to make however, and I would like to see them focusing on formally specifying the expected behaviour of the software with tools like Cucumber, instead of being involved in implementation. 

Design approach: Non-programmatic
---------------------------------
My co-worker, who I respect a great deal and suspect is far more knowledgeable than me, feels that the existing process is fine and that we just need to build better tooling. I can&#39;t help but feel however that there is something fundamentally flawed with this approach. I have yet to find one instance, either historical or contemporary where this model of software development has been successful. COBOL was developed with the philosophy of allow business people/domain experts to write applications without the need for a programmer, and to my mind all this did was create a new kind of programmer - the COBOL programmer. If it was possible to develop effective systems allowing non-programmers to create non-trivial applications, surely the demand for programmers would be much lower? The only frameworks that I am aware of that roughly fit this model are SAP&#39;s Smart Forms and Microsoft&#39;s Dynamix AX - both of which are very domain specific ERP systems.

DSLs, Templating Languages
---------------------------
Something of a compromise between the two concepts would be to implement some kind of DSL as a templating language. I&#39;m not even sure that this would be successful however, as all of the content creators, with one exception, are completely non technical.

I&#39;ve also considered building a custom IDE based on Visual Studio or Net Beans with graphical/toolbox style tooling.

Thoughts?
----------
Is non-programmatic development a fools errand? Will this always result in something unsatisfactory, requiring hands on development from a programmer? 

Many thanks if you&#39;ve taken the time to read this, and I&#39;d certainly appreciate any feedback.

Is non-programmatic software development feasible?

Why does C++ have `public` members that anyone can call and `friend` declarations that expose _all_ `private` members to _given_ foreign classes or methods but offer no syntax to expose particular members to given callers?

I want to express interfaces with some routines to be invoked only by known callers without having to give those callers complete access to all privates, which feels like a reasonable thing to want.  The best I could come up with myself (below) and suggestions by others so far revolve around idioms/pattern of varying indirectness, where I really just want a way to have _single_, simple class definitions that explicitly indicate what callers (more granularly than _me_, _my children_, or _absolutely anybody_) can access which members.  What is the best way to express the concept below?

    // Can I grant Y::usesX(...) selective X::restricted(...) access more cleanly?
    void Y::usesX(int n, X *x, int m) {
      X::AttorneyY::restricted(*x, n);
    }

    struct X {
      class AttorneyY;          // Proxies restricted state to part or all of Y.
    private:
      void restricted(int);     // Something preferably selectively available.
      friend class AttorneyY;   // Give trusted member class private access.
      int personal_;            // Truly private state ...
    };

    // Single abstract permission.  Can add more friends or forwards.
    class X::AttorneyY {
      friend void Y::usesX(int, X *, int);
      inline static void restricted(X &amp;x, int n) { x.restricted(n); }
    };

I&#39;m nowhere near being a software organization guru, but it feels like interface simplicity and the principle of least privilege are directly at odds in this aspect of the language.  A clearer example for my desire might be a `Person` class with declared methods like `takePill(Medicine *)` `tellTheTruth()` and `forfeitDollars(unsigned int)` that only `Physician`, `Judge`, or `TaxMan` instances/member methods, respectively, should even consider invoking.  Needing one-time proxy or interface classes for each major interface aspect sits ill with me, but please speak up if you know I&#39;m missing something.

__Answer accepted from [Drew Hall][1]: [Dr Dobbs - Friendship and the Attorney-Client Idiom][2]__

The code above originally called the wrapper class &#39;Proxy&#39; instead of &#39;Attorney&#39; and used pointers instead of references but was otherwise equivalent to what Drew found, which I then deemed the best generally known solution.  (Not to pat myself on the back too hard...)  I also changed the signature of &#39;restricted&#39; to demonstrate parameter forwarding.  The overall cost of this idiom is one class and one friend declaration per permission set, one friend declaration per set approved caller, and one forwarding wrapper per exposed method per permission set.  Most of the better discussion below revolves around the forwarding call boilerplate that a very similar &#39;Key&#39; idiom avoids at the expense of less direct protection.

  [1]: https://stackoverflow.com/users/23934/drew-hall
  [2]: http://www.drdobbs.com/184402053

clean C++ granular friend equivalent? (Answer: Attorney-Client Idiom)

I have a python script that reads raw movie text files into an sqlite database.

I use re.escape(title) to add escape chars into the strings to make them db safe before executing the inserts.

Why does this not work:

    In [16]: c.execute(&quot;UPDATE movies SET rating = &#39;8.7&#39; WHERE name=&#39;\&#39;Allo\ \&#39;Allo\!\&quot;\ \(1982\)&#39;&quot;)
    --------------------------------------------------------------------------- OperationalError                       Traceback (most recent call last)
    
    /home/rajat/Dropbox/amdb/&lt;ipython console&gt; in &lt;module&gt;()
    
    OperationalError: near &quot;Allo&quot;: syntax error


Yet this works (removed \&#39; in two places) :

    In [17]: c.execute(&quot;UPDATE movies SET rating = &#39;8.7&#39; WHERE name=&#39;Allo\ Allo\!\&quot;\ \(1982\)&#39;&quot;) Out[17]: &lt;sqlite3.Cursor object at 0x9666e90&gt;

I can&#39;t figure it out. I also can&#39;t ditch those leading quotes because they&#39;re actually part of the movie title.
Thank you.

Escaping chars in Python and sqlite

I have a python script that reads raw movie text files into an sqlite database.
I use re.escape(title) to add escape chars into the strings to make them db safe before executing the inserts.
Why does this not work:
<pre><code class="hljs language-vbnet">In [16]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='\'Allo\ \'Allo\!\"\ \(1982\)'")
--------------------------------------------------------------------------- OperationalError Traceback (most recent call last)

/home/rajat/Dropbox/amdb/&#x3C;ipython console> in &#x3C;module>()

OperationalError: near "Allo": syntax error
</code></pre>
Yet this works (removed ' in two places) :
<pre><code class="hljs language-ini">In [17]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='Allo\ Allo\!\"\ \(1982\)'") Out[17]: &#x3C;sqlite3.Cursor object at 0x9666e90>
</code></pre>
I can't figure it out. I also can't ditch those leading quotes because they're actually part of the movie title.
Thank you.

I want to install some specific version of a package (in this case Django) inside the virtual environment. I can&#39;t figure it out.

I&#39;m on Windows XP, and I created the virtual environment successfully, and I&#39;m able to run it, but how am I supposed to install the Django version I want into it? I mean, I know to use the newly-created `easy_install` script, but how do I make it install Django 1.0.7? If I do `easy_install django`, it will install the latest version. I tried putting the version number `1.0.7` into this command in various ways, but nothing worked.

How do I do this?

How do I install an old version of Django on virtualenv?

I am new to Python&#39;s logging package and plan to use it for my project. I would like to customize the time format to my taste. Here is a short code I copied from a tutorial:


    import logging
    
    # create logger
    logger = logging.getLogger(&quot;logging_tryout2&quot;)
    logger.setLevel(logging.DEBUG)
    
    # create console handler and set level to debug
    ch = logging.StreamHandler()
    ch.setLevel(logging.DEBUG)
    
    # create formatter
    formatter = logging.Formatter(&quot;%(asctime)s;%(levelname)s;%(message)s&quot;)
    
    # add formatter to ch
    ch.setFormatter(formatter)
    
    # add ch to logger
    logger.addHandler(ch)
    
    # &quot;application&quot; code
    logger.debug(&quot;debug message&quot;)
    logger.info(&quot;info message&quot;)
    logger.warn(&quot;warn message&quot;)
    logger.error(&quot;error message&quot;)
    logger.critical(&quot;critical message&quot;)

And here is the output:

    2010-07-10 10:46:28,811;DEBUG;debug message
    2010-07-10 10:46:28,812;INFO;info message
    2010-07-10 10:46:28,812;WARNING;warn message
    2010-07-10 10:46:28,812;ERROR;error message
    2010-07-10 10:46:28,813;CRITICAL;critical message

I would like to shorten the time format to just: &#39;`2010-07-10 10:46:28`&#39;, dropping the mili-second suffix. I looked at the Formatter.formatTime, but confused. I appreciate your help to achieve my goal. Thank you.


How to Customize the time format for Python logging?

A [tweet][1] reads: 

&gt; Don&#39;t use easy_install, unless you
&gt; like stabbing yourself in the face.
&gt; Use pip.

Why use pip over easy_install? Doesn&#39;t the [fault lie with PyPI and package authors mostly][2]? If an author uploads crap source tarball (eg: missing files, no setup.py) to PyPI, then both pip and easy_install will fail. Other than cosmetic differences, why do Python people (like in the above tweet) seem to **strongly** favor pip over easy_install?

(Let&#39;s assume that we&#39;re talking about easy_install from the Distribute package, that is maintained by the community)

  [1]: http://twitter.com/jperras/statuses/18160589493
  [2]: http://mail.python.org/pipermail/catalog-sig/2010-June/002985.html

Why use pip over easy_install?

when i give 
ls -l /etc/fonts/conf.d/70-yes-bitmaps.conf 

    lrwxrwxrwx &lt;snip&gt; /etc/fonts/conf.d/70-yes-bitmaps.conf -&gt; ../conf.avail/70-yes-bitmaps.conf

so for a symbolic link or soft link, how to find the target file&#39;s full(absolute path) in python,

If i use 

`os.readlink(&#39;/etc/fonts/conf.d/70-yes-bitmaps.conf&#39;)`

it outputs 

`../conf.avail/70-yes-bitmaps.conf`

but i need the absolute path not the relative path, so my desired output must be,

`/etc/fonts/conf.avail/70-yes-bitmaps.conf`

how to replace the `..` with the actual full path of the parent directory of the symbolic link or soft link file.


how to find the target file&#39;s full(absolute path) of the symbolic link or soft link in python

Is there a generic notion of asynchronous programming in python? Could I assign a callback to a function, execute it and return to the main program flow immediately, no matter how long the execution of that function would take?

asynchronous programming in python

Question: Is it possible to use a variable as your table name without having to use string constructors to do so?

___

Info: 

I&#39;m working on a project right now that catalogs data from a star simulation of mine. To do so I&#39;m loading all the data into a sqlite database. It&#39;s working pretty well, but I&#39;ve decided to add a lot more flexibility, efficiency, and usability to my db. I plan on later adding planetoids to the simulation, and wanted to have a table for each star. This way I wouldn&#39;t have to query a table of 20m some planetoids for the 1-4k in each solar system. 

I&#39;ve been told using string constructors is bad because it leaves me vulnerable to a SQL injection attack. While that isn&#39;t a big deal here as I&#39;m the only person with access to these dbs, I would like to follow best practices. And also this way if I do a project with a similar situation where it is open to the public, I know what to do.

Currently I&#39;m doing this:

    cursor.execute(&quot;CREATE TABLE StarFrame&quot;+self.name+&quot; (etc etc)&quot;)

This works, but I would like to do something more like:

    cursor.execute(&quot;CREATE TABLE StarFrame(?) (etc etc)&quot;,self.name)

though I understand that this would probably be impossible. though I would settle for something like

    cursor.execute(&quot;CREATE TABLE (?) (etc etc)&quot;,self.name)

If this is not at all possible, I&#39;ll accept that answer, but if anyone knows a way to do this, do tell. :)

I&#39;m coding in python.



Variable table name in sqlite

    db = sqlite.connect(&quot;test.sqlite&quot;)
    res = db.execute(&quot;select * from table&quot;)

With iteration I get lists coresponding to the rows.

    for row in res:
        print row

I can get name of the columns

    col_name_list = [tuple[0] for tuple in res.description]

But is there some function or setting to get dictionaries instead of list?

    {&#39;col1&#39;: &#39;value&#39;, &#39;col2&#39;: &#39;value&#39;}

or I have to do myself?

How can I get dict from sqlite query?

I have a SQLite database that I am using for a website. The problem is that when I try to `INSERT INTO` it, I get a `PDOException`

    SQLSTATE[HY000]: General error: 8 attempt to write a readonly database

I SSH&#39;d into the server and checked permissions, and the database has the permissions

    -rw-rw-r--

I&#39;m not that familiar with *nix permissions, but I&#39;m pretty sure this means

* Not a directory
* Owner has read/write permissions (that&#39;s me, according to `ls -l`)
* Group has read/write permissions
* Everyone else only has read permissions

I also looked everywhere I knew to using the `sqlite3` program, and found nothing relevant.

Because I didn&#39;t know with what permissions PDO is trying to open the database, I did

    chmod o+w supplies.db

Now, I get another `PDOException`:

    SQLSTATE[HY000]: General error: 14 unable to open database file

But it ONLY occurs when I try to execute an `INSERT` query *after* the database is open.

**Any ideas on what is going on?**



SQLite error &#39;attempt to write a readonly database&#39; during insert?

I have simple question with Sqlite. What is the difference between this:

    Select * from Animals LIMIT 100 OFFSET 50

and

    Select * from Animals LIMIT 100,50


Sqlite LIMIT / OFFSET query

I&#39;m just getting started learning [SQLite][1]. It would be nice to be able to see the details for a table, like MySQL&#39;s `DESCRIBE [table]`. `PRAGMA table_info [table]` isn&#39;t good enough, as it only has basic information (for example, it doesn&#39;t show if a column is a field of some sort or not). Does SQLite have a way to do this?

  [1]: http://en.wikipedia.org/wiki/SQLite


Content Type	Original Author	Original Content on Stackoverflow
Question	rajat banerjee	View Question on Stackoverflow
Solution 1 - Python	Donal Fellows	View Answer on Stackoverflow
Solution 2 - Python	Alex Martelli	View Answer on Stackoverflow
Solution 3 - Python	dan04	View Answer on Stackoverflow
Solution 4 - Python	Clock ZHONG	View Answer on Stackoverflow

Escaping chars in Python and sqlite

Python Problem Overview

Python Solutions

Solution 1 - Python

Solution 2 - Python

Solution 3 - Python

Solution 4 - Python

clean C++ granular friend equivalent? (Answer: Attorney-Client Idiom)

Is non-programmatic software development feasible?

Attributions