sql escaping module

David Bear david.bear at asu.edu
Thu Dec 8 20:07:03 CET 2005

Fredrik Lundh wrote:

> David Bear wrote:
>> Being new to pgdb, I'm finding there are lot of things I don't understand
>> when I read the PEP and the sparse documentation on pgdb.
>> I was hoping there would be a module that would properly escape longer
>> text strings to prevent sql injection -- and other things just make sure
>> the python string object ends up being a properly type for postgresql.
>> I've bought 3 books on postgresql and none of th code samples demonstrate
>> this.
>> web searchs for 'python sql escape  string' yeild way too many results.
>> Any pointers would be greatly appreciated.
> for x in range(1000000):
> </F>
Yes. Fredrik and others. Thank you for the advice.

I know have the following code:

    parmChar = '%s'
    sqlInsert = """INSERT INTO %s (%s) VALUES (%s); """ % (tn, ",
        ".join(fieldnames), ", ".join([parmChar] * len(fieldnames)))
        cursor.execute(sqlInsert, datum)
    except pgdb.DatabaseError:
        logerror("Error on record insert \n %s \n %s" % (sqlInsert, 

I was not aware that the python db interface would just handle proper
escaping of python data types to proper postgresql data types.

Any other hints on database programming much appreciated.

David Bear
-- let me buy your intellectual property, I want to own your thoughts --

More information about the Python-list mailing list