Manual parameter substitution in sqlite3
Neil Cerutti
neilc at norwich.edu
Tue Feb 28 17:05:59 EST 2017
On 2017-02-28, Skip Montanaro <skip.montanaro at gmail.com> wrote:
> Some database adapters provide a function to do explicit
> substitution (e.g., mySQLdb.escape, psycopg2._param_escape),
> but the sqlite3 adapter doesn't.
It's clunky but you can use sqlite's core "quote" function.
quote(X)
The quote(X) function returns the text of an SQL literal which
is the value of its argument suitable for inclusion into an
SQL statement. Strings are surrounded by single-quotes with
escapes on interior quotes as needed. BLOBs are encoded as
hexadecimal literals. Strings with embedded NUL characters
cannot be represented as string literals in SQL and hence the
returned string literal is truncated prior to the first NUL.
The time I found it useful was when I thought I needed to build a
query with parameters where the DB-API didn't allow them, e.g.,
in the column-names portion of an INSERT statement.
quoted_val, = c.execute("SELECT quote(?);", (val,)).fetchone()
--
Neil Cerutti
More information about the Python-list
mailing list