passing artibrary strings into a database
Diez B. Roggisch
deets at nospam.web.de
Sun Nov 27 12:00:55 EST 2005
schwehr at gmail.com wrote:
> Hi All,
>
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard? This feels like a newbee type question, but I
> haven't found anything with a quick search.
Use paramtetrized cursor.execute(..) That is instead of doing
c.execute("insert into foo values ('%s')" % mytext)
do
c.execute("insert into foo values (?)", mytext)
Attention, the actual style of a parameter is dependand on your
database, e.g. oracle uses a differnet one:
c.execute("insert into foo values (:mytext)", dict(mytext=mytext))
The actual style to use is given in the docs, or can be queried with
connection.paramstyle
I recommend reading the DB-API 2.0 specs.
Diez
More information about the Python-list
mailing list