python - "%s" % format vs "{0}".format() vs "?" format

Question

In this post about SQLite, aaronasterling told me that

• cmd = "attach "%s" as toMerge" % "b.db" : is wrong
• cmd = 'attach "{0}" as toMerge'.format("b.db") : is correct
• cmd = "attach ? as toMerge"; cursor.execute(cmd, ('b.db', )) : is right thing

But, I've thought the first and second are the same. What are the differences between those three?

Answer 1

"attach "%s" as toMerge" % "b.db"

You should use ' instead of ", so you don't have to escape.

You used the old formatting strings that are deprecated.

'attach "{0}" as toMerge'.format("b.db")

This uses the new format string feature from newer Python versions that should be used instead of the old one if possible.

"attach ? as toMerge"; cursor.execute(cmd, ('b.db', ))

This one omits string formatting completely and uses a SQLite feature instead, so this is the right way to do it.

Big advantage: no risk of SQL injection