passing artibrary strings into a database

Fredrik Lundh fredrik at pythonware.com
Sun Nov 27 17:56:24 CET 2005


schwehr at gmail.com wrote:

> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or  other such things that would foul the sql insert call and or
> be a security hazard?

don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):

        cursor.execute(
            "insert into table (col1, col2) values ?, ?",
            value1, value2
        )

the exact marker depends on the database; use the paramstyle attribute
to figure out what's the right parameter marker to use for your database.
see the DB-API 2 spec for more information:

    http://www.python.org/peps/pep-0249.html

</F>






More information about the Python-list mailing list