sql escaping module
david.bear at asu.edu
Thu Dec 8 20:07:03 CET 2005
Fredrik Lundh wrote:
> David Bear wrote:
>> Being new to pgdb, I'm finding there are lot of things I don't understand
>> when I read the PEP and the sparse documentation on pgdb.
>> I was hoping there would be a module that would properly escape longer
>> text strings to prevent sql injection -- and other things just make sure
>> the python string object ends up being a properly type for postgresql.
>> I've bought 3 books on postgresql and none of th code samples demonstrate
>> web searchs for 'python sql escape string' yeild way too many results.
>> Any pointers would be greatly appreciated.
> for x in range(1000000):
> print "USE PARAMETERS TO PASS VALUES TO THE DATABASE"
Yes. Fredrik and others. Thank you for the advice.
I know have the following code:
parmChar = '%s'
sqlInsert = """INSERT INTO %s (%s) VALUES (%s); """ % (tn, ",
".join(fieldnames), ", ".join([parmChar] * len(fieldnames)))
logerror("Error on record insert \n %s \n %s" % (sqlInsert,
I was not aware that the python db interface would just handle proper
escaping of python data types to proper postgresql data types.
Any other hints on database programming much appreciated.
-- let me buy your intellectual property, I want to own your thoughts --
More information about the Python-list