python and sqlite - escape input

Wizzard picture Wizzard · Oct 17, 2010 · Viewed 7.9k times · Source

Using python with a sqlite DB - whats the method used for escaping the data going out and pulling the data coming out?

Using pysqlite2

Google has conflicting suggestions.

Answer

unutbu picture unutbu · Oct 17, 2010

Use the second parameter args to pass arguments; don't do the escaping yourself. Not only is this easier, it also helps prevent SQL injection attacks.

cursor.execute(sql,args)

for example,

cursor.execute('INSERT INTO foo VALUES (?, ?)', ("It's okay", "No escaping necessary") )