[DB-SIG] SQL string escape function

M.-A. Lemburg mal@lemburg.com
Wed, 25 Jul 2001 09:44:41 +0200


Paul DuBois wrote:
> 
> At 11:58 AM +0200 7/24/01, M.-A. Lemburg wrote:
> >moored@reed.edu wrote:
> >>
> >>   Forgive my ignorance and inability to find a manual: Is there a function
> >>  that will escape special characters from a string such that it can be
> >>  included in a SQL statement? I'm looking for something like the php
> >>  AddSlashes().
> >
> >You normally don't need to do that since the database module
> >will apply the necessary quoting itself if you pass your parameters
> >using bound variables:
> >
> >cursor.execute('select name from mytable where id=?', (id,))
> >
> >For more infos, please see the database topic guide on www.python.org.
> 
> You need to do it if you want to produce SQL statements for *another*
> program to execute.

That's true... 

BTW, there is a dbinfo.py tool on my web-pages which
aims at providing standard escaping (and other) mechanism to enable
writing cross-database SQL code. Perhaps this module helps ?!

-- 
Marc-Andre Lemburg
CEO eGenix.com Software GmbH
______________________________________________________________________
Consulting & Company:                           http://www.egenix.com/
Python Software:                        http://www.lemburg.com/python/