%s place holder does not let me insert ' in an sql query with python.
rdmurray at bitdance.com
rdmurray at bitdance.com
Mon Dec 15 08:03:38 EST 2008
On Mon, 15 Dec 2008 at 18:16, Krishnakant wrote:
> how do you let the ' go as a part of the string?
> I have used %s as placeholder as in
> queryString = "insert into venders values ('%s,%s,%s" %
> (field1,field2,field3 ) ...
> This is not working for the ' values.
This is untested, but I think what you want is:
cursor.execute("insert into venders values (?, ?, ?)", field1, field2,
field3)
This uses parameter binding and should properly quote the values.
It's also the "right way" to do it to avoid sql injection attacks
and for efficiency if you run the same query multiple times.
--RDM
More information about the Python-list
mailing list