A good way to escape quotes in a database query string?

python database escaping sql-injection
Jonathan Prior picture Jonathan Prior · May 22, 2009 · Viewed 93.5k times · Source

I've tried all manner of Python modules and they either escape too much or in the wrong way. What's the best way you've found to escape quotes (", ') in Python?

Answer

Dave Webb picture Dave Webb · May 22, 2009

If it's part of a Database query you should be able to use a Parameterized SQL Statement.

As well as escaping your quotes, this will deal with all special characters and will protect you from SQL injection attacks.

Related questions

Django Model() vs Model.objects.create()

What it the difference between running two commands: foo = FooModel() and bar = BarModel.objects.create() Does the second one immediately create a BarModel in the database, while for FooModel, the save() method has to be called explicitly to add it …

Read More
Python: Number of rows affected by cursor.execute("SELECT ...)

How can I access the number of rows affected by: cursor.execute("SELECT COUNT(*) from result where server_state='2' AND name LIKE '"+digest+"_"+charset+"_%'")

Read More
Importing a CSV file into a sqlite3 database table using Python

I have a CSV file and I want to bulk-import this file into my sqlite3 database using Python. the command is ".import .....". but it seems that it cannot work like this. Can anyone give me an example of how to …

Read More