String substitution VS proper mysql escaping

MRAB python at
Sat Aug 28 22:12:03 CEST 2010

On 28/08/2010 20:51, Νίκος wrote:
> On 28 Αύγ, 22:35, MRAB<pyt... at>  wrote:
>> """When there's more than one value you provide a tuple. It's makes sense
>> from the point of view of consistency that you also provide a tuple when
>> there's only one value."""
> Can you write something that make use of more than one value?
> Perhaps you mena somethign like?
> cursor.execute( '''SELECT hits FROM counters WHERE page = %s and date
> = %s and host = %s''' , (page,) )
> Is this what you mean?
> All those special format strign identifiers will grab their values out
> of the tuple?

Your example contains 3 placeholders, so it needs 3 values:

     cursor.execute('''SELECT hits FROM counters WHERE page = %s and 
date = %s and host = %s''', (page, date, host))

This will be safe. Any quoting that's needed will be done by .execute().

More information about the Python-list mailing list