passing artibrary strings into a database
Fredrik Lundh
fredrik at pythonware.com
Sun Nov 27 11:56:24 EST 2005
schwehr at gmail.com wrote:
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard?
don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):
cursor.execute(
"insert into table (col1, col2) values ?, ?",
value1, value2
)
the exact marker depends on the database; use the paramstyle attribute
to figure out what's the right parameter marker to use for your database.
see the DB-API 2 spec for more information:
http://www.python.org/peps/pep-0249.html
</F>
More information about the Python-list
mailing list