passing artibrary strings into a database
fredrik at pythonware.com
Sun Nov 27 17:56:24 CET 2005
schwehr at gmail.com wrote:
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard?
don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):
"insert into table (col1, col2) values ?, ?",
the exact marker depends on the database; use the paramstyle attribute
to figure out what's the right parameter marker to use for your database.
see the DB-API 2 spec for more information:
More information about the Python-list