sql using characters like é and ã

[Magnus Lycka]

Diez B. Roggisch wrote:
> "Select * from table where name like '%s%%'" %
> "José".decode("latin-1").encode("utf-8")

Ouch! Please use parameter passing instead of building full SQL
statements with embedded parameter values. You're opening up for
SQL injection attacks if you allow user provided input in SQL code.

Imagine that instead of "José", you had gotten
"';DELETE FROM TABLE;SELECT * FROM TABLE WHERE NAME LIKE='"