passing artibrary strings into a database

Fredrik Lundh fredrik at
Sun Nov 27 17:56:24 CET 2005

schwehr at wrote:

> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or  other such things that would foul the sql insert call and or
> be a security hazard?

don't ever use string formatting to add values to an SQL statement.
the right way to pass variables to the database engine is to use para-
meters (aka bound variables):

            "insert into table (col1, col2) values ?, ?",
            value1, value2

the exact marker depends on the database; use the paramstyle attribute
to figure out what's the right parameter marker to use for your database.
see the DB-API 2 spec for more information:


More information about the Python-list mailing list