[DB-SIG] SQL string escape function

moored@reed.edu moored@reed.edu
Tue, 24 Jul 2001 17:52:29 -0700 (PDT)


On Tue, 24 Jul 2001, Paul DuBois wrote:
>
> You need to do it if you want to produce SQL statements for *another*
> program to execute.
>

I'm not familar with 'bound variables,' but I did search for it.
My main wonder is if the two following statements equivalent:

sqlstring = "SELECT * FROM table WHERE table.string=\'%s\'"
sqlstring = sqlstring % (nastystring)
cursor.execute(sql)

versus:

cursor.execute("SELECT * FROM table WHERE table.string=\'%s\'" %
(naststring))

I like to build SQL line by line and cramming the whole expression inside
the execute is inconvenient.

-------===Dustin Moore===---------