[DB-SIG] inserting strings into postgres db using pgdb (escaping quotes automagically)

Marcos Sánchez Provencio msanchez at grupoburke.com
Wed Jun 18 22:02:57 EDT 2003

This has been discussed before and recently



El mié, 18 de 06 de 2003 a las 18:42, Nathan Clegg escribió:
> Can't pgdb also use 'format' paramstyle?  It is no less safe.  The
> only advantage is being able to ignore order and is convenient for
> repeating the same param multiple times in the statement, which is
> unnecessary in this example.  My code is no more likely to fail in
> interesting and spectacular ways than yours, as I am not doing any
> quoting or parsing myself.
> Andy Todd wrote:
> > The column names and values are put into a dictionary because pgdb uses 
> > the 'pyformat' paramstyle. The general form of which is;
> > 
> >  >>> cursor.execute("SELECT column_a FROM table_a WHERE 
> > column_b=%(param_a)s", {'param_a':'some value'})
> > 
> > This ensures that values are appropriately quoted and parsed by the 
> > database module and not by you. This means that funny (or just 
> > unexpected) characters don't cause your query to fail in interesting and 
> > spectacular ways.
Marcos Sánchez Provencio <msanchez at grupoburke.com>

More information about the DB-SIG mailing list