From 5d7466981b04710dc69a6e47bb6aa7020d8ccb1a Mon Sep 17 00:00:00 2001
From: Joshua Padman <jpadman@redhat.com>
Date: Wed, 31 Jan 2018 21:17:03 +1100
Subject: [PATCH] Fix for incorrect MySQLdb escaping example

My suggestion for improving the parameterized query documentation.
Closes-Bug: #1745555

Change-Id: I55d3d660436bbead403e53d1ed42b285b47326de
---
 .../dg_parameterize-database-queries.rst          | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/doc/source/guidelines/dg_parameterize-database-queries.rst b/doc/source/guidelines/dg_parameterize-database-queries.rst
index 4f521ba..b506682 100644
--- a/doc/source/guidelines/dg_parameterize-database-queries.rst
+++ b/doc/source/guidelines/dg_parameterize-database-queries.rst
@@ -95,25 +95,28 @@ be created.
         cur = con.cursor()
         cur.execute(query)
 
-Correct
-^^^^^^^
+Better
+^^^^^^
 
 In this example the query is created using pythons standard, unsafe
 '%' operator. MySQL's 'escape\_string' method is used to perform escaping
-on the query string immediately before executing it.
+on the user input string prior to inclusion in the string.
 
 .. code:: python
 
     import MySQLdb
 
-    query = "select username from users where username = '%s'" % name
+    query = "select username from users where username = '%s'" % MySQLdb.escape_string(name)
     con = MySQLdb.connect('localhost', 'testuser', 'test623', 'testdb');
 
     with con:
         cur = con.cursor()
-        cur.execute(MySQLdb.escape_string(query))
+        cur.execute(query)
 
-An alternative, but also correct, way to do this using a parameterized
+Correct
+^^^^^^^
+
+The correct way to do this using a parameterized
 query might look like the following:
 
 .. code:: python