This is kinda OT, so feel free to tell me where to go :) I just noticed that python's mysql bindings combine commands and parameters before they get sent to the server: def execute(self, query, args=None): ... if args is not None: query = query % db.literal(args) Unless I'm mistaken, this is in general: bad. I would like to bring it to someone's attention in hopes that it will be improved, but first I need to make a case for why. What I am looking for is a write up on why keeping parameters separate is important. I think I know, but I am not a reliable source. so something on mysql.com or from a mysql dev would carry a bit more weight. Carl K