MySQL problem

Kent Johnson kent37 at
Fri Mar 18 18:09:47 CET 2005

wes weston wrote:
> Dennis Lee Bieber wrote:
>>     Try neither, the recommended method is to let the execute() do
>> the formatting... That way /it/ can apply the needed quoting of
>> arguments based upon the type of the data.
>> cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))
> Dennis,
>    Do you know if this has some efficiency advantage
> or is it just an agreed upon custom.

It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.


More information about the Python-list mailing list