In this post about SQLite, aaronasterling told me that
cmd = "attach \"%s\" as toMerge" % "b.db"
: is wrongcmd = 'attach "{0}" as toMerge'.format("b.db")
: is correctcmd = "attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))
: is right thingBut, I've thought the first and second are the same. What are the differences between those three?
"attach \"%s\" as toMerge" % "b.db"
You should use '
instead of "
, so you don't have to escape.
You used the old formatting strings that are deprecated.
'attach "{0}" as toMerge'.format("b.db")
This uses the new format string feature from newer Python versions that should be used instead of the old one if possible.
"attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))
This one omits string formatting completely and uses a SQLite feature instead, so this is the right way to do it.
Big advantage: no risk of SQL injection