[Tutor] escape-quoting strings

Danny Yoo dyoo at hkn.eecs.berkeley.edu
Mon Nov 1 21:51:30 CET 2004

On Mon, 1 Nov 2004, Lloyd Kvam wrote:

> http://python.org/topics/database/
> Read the DB-API spec version 2
> All of the module documentation assumes you are already familiar with
> the DB-API (DBI) and only deals with other issues.  The ability of the
> module to map your data into the query becomes critical when dealing
> with binary data.
> On Mon, 2004-11-01 at 00:32, Marilyn Davis wrote:
> > I don't see it in the documentation for MySQLdb at all!  Should I be
> > looking somewhere else?
> >
> > How did you learn this?
> >
> > I wish I knew this a few months ago.  Where have you been?? ;^)

Hi Marylyn,

All the SQL bindings in the programming languages I've seen provide some
kind of "prepared statement" syntax, since quotation is tricky to deal
with.  Java does it with its 'java.sql.PreparedStatement' class, and Perl
also supports it with its DBI::bind_param stuff.

But you're right, though: using a prepared statement is not obvious.
It's like one of those trial-by-fire sort of things.  It does seem to be a
very frequently asked question that is not well addressed by the current

I'd love to see this addressed directly in the Python-SQL tutorials out
there.  For example:


just sneaks the prepared syntax stuff in near the end, in the section
about Transactions, and doesn't highlight the reasons for using it.  The
other tutorial I often point folks to is the on by Devshed:


and it does use the prepared statement syntax... but, again, doesn't
explain what makes it better than direct interpolation.  And since
MySQLdb's prepared statement syntax looks almost like String Formatting,
it's not really obvious why using it is any better than just doing the
interpolation directly.

Does anyone want a crack at writing a tutorial about this?  *grin* Maybe
someone on the Tutor list can write something up and get it linked to the
Database Topics page:


More information about the Tutor mailing list