"%s" % format vs "{0}".format() vs "?" format

python string-formatting pysqlite
prosseek picture prosseek · Sep 11, 2010 · Viewed 17.3k times · Source

In this post about SQLite, aaronasterling told me that

  • cmd = "attach \"%s\" as toMerge" % "b.db" : is wrong
  • cmd = 'attach "{0}" as toMerge'.format("b.db") : is correct
  • cmd = "attach ? as toMerge"; cursor.execute(cmd, ('b.db', )) : is right thing

But, I've thought the first and second are the same. What are the differences between those three?

Answer

leoluk picture leoluk · Sep 11, 2010 
"attach \"%s\" as toMerge" % "b.db"

You should use ' instead of ", so you don't have to escape.

You used the old formatting strings that are deprecated.

'attach "{0}" as toMerge'.format("b.db")

This uses the new format string feature from newer Python versions that should be used instead of the old one if possible.

"attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))

This one omits string formatting completely and uses a SQLite feature instead, so this is the right way to do it.

Big advantage: no risk of SQL injection

Related questions

String formatting: % vs. .format vs. string literal

Python 2.6 introduced the str.format() method with a slightly different syntax from the existing % operator. Which is better and for what situations? Python 3.6 has now introduced another string formatting format of string literals (aka "f" strings) via the syntax f"…

Read More
Display number with leading zeros

Given: a = 1 b = 10 c = 100 How do I display a leading zero for all numbers with less than two digits? This is the output I'm expecting: 01 10 100

Read More
What's the difference between %s and %d in Python string formatting?

I don't understand what %s and %d do and how they work.

Read More