[DB-SIG] SQL string escape function
moored@reed.edu
moored@reed.edu
Tue, 24 Jul 2001 17:52:29 -0700 (PDT)
On Tue, 24 Jul 2001, Paul DuBois wrote:
>
> You need to do it if you want to produce SQL statements for *another*
> program to execute.
>
I'm not familar with 'bound variables,' but I did search for it.
My main wonder is if the two following statements equivalent:
sqlstring = "SELECT * FROM table WHERE table.string=\'%s\'"
sqlstring = sqlstring % (nastystring)
cursor.execute(sql)
versus:
cursor.execute("SELECT * FROM table WHERE table.string=\'%s\'" %
(naststring))
I like to build SQL line by line and cramming the whole expression inside
the execute is inconvenient.
-------===Dustin Moore===---------