String substitution VS proper mysql escaping

John Nagle nagle at
Mon Aug 30 22:43:32 CEST 2010

On 8/30/2010 1:11 AM, Gregory Ewing wrote:
> Nik the Greek wrote:
>> Yes i will i just asked to know if i were to substitute what might be
>> the problem so to understand why i need the quoting.
> Because if you use % to build a query string, the result must
> be syntactically valid SQL. The values that you substitute
> into the placeholders must end up looking like SQL literals.
> That means string values need to be in quotes, and probably
> dates as well, although numbers don't.
> When you use the execute method's own parameter substitution
> mechanism, things are different. It's not a textual replacement,
> and you don't put quotes around the placeholders. There's no
> particular reason for that, it's just the way it's defined
> to work.

    Actually, it IS a textual replacement.  What

     cursor.execute(sqlstring, values)

is doing is essentially

     quotedstr = sqlstring % map(MySQLdb.escape_string, values)

There's much confusion about this, but it isn't complicated.

				John Nagle

More information about the Python-list mailing list