python and sqlite - escape input

python sqlite pysqlite
Wizzard picture Wizzard · Oct 17, 2010 · Viewed 7.9k times · Source

Using python with a sqlite DB - whats the method used for escaping the data going out and pulling the data coming out?

Using pysqlite2

Google has conflicting suggestions.

Answer

unutbu picture unutbu · Oct 17, 2010

Use the second parameter args to pass arguments; don't do the escaping yourself. Not only is this easier, it also helps prevent SQL injection attacks.

cursor.execute(sql,args)

for example,

cursor.execute('INSERT INTO foo VALUES (?, ?)', ("It's okay", "No escaping necessary") )

Related questions

Python SQLite: database is locked

I'm trying this code: import sqlite connection = sqlite.connect('cache.db') cur = connection.cursor() cur.execute('''create table item (id integer primary key, itemno text unique, scancode text, descr text, price real)''') connection.commit() cur.close() I'm catching this …

Read More
How to install pysqlite?

I am trying to install pysqlite (Python interface to the SQLite). I downloaded the file with the package (pysqlite-2.5.5.tar.gz). And I did the following: gunzip pysqlite-2.5.5.tar.gz tar xvf pysqlite-2.5.5.tar \cd pysqlite-2.5.5 python setup.py install …

Read More
I can't get Python's executemany for sqlite3 to work properly

I was trying to use executemany to insert values into a database, but it just won't work for me. Here is a sample: clist = [] clist.append("abc") clist.append("def") clist.append("ghi") cursor.executemany("INSERT INTO myTable(data) values (?) ", …

Read More