python and sqlite - escape input

Question

Using python with a sqlite DB - whats the method used for escaping the data going out and pulling the data coming out?

Using pysqlite2

Google has conflicting suggestions.

score 23 · Accepted Answer · edited Nov 03 '19 at 18:54

23

Use the second parameter args to pass arguments; don't do the escaping yourself. Not only is this easier, it also helps prevent SQL injection attacks.

cursor.execute(sql,args)

for example,

cursor.execute('INSERT INTO foo VALUES (?, ?)', ("It's okay", "No escaping necessary") )

edited Nov 03 '19 at 18:54

dns

2,753
1
26
33

answered Oct 17 '10 at 08:30

unutbu

842,883
184
1,785
1,677

Thanks, I wasn't sure of the python way, I am well aware of SQL attacks which is why I am trying to find best way in python. Thanks, will see if there is any more comments on this and give it a go. – Wizzard Oct 17 '10 at 08:35
@Wizzard, unutbu is right, this works and will save you a lot of headache. For the other part of your question: pysqlite2 will return to you the objects from the DB in the right format, so you can directly use them as int, float, string, datetime,... – eumiro Oct 17 '10 at 08:47

python and sqlite - escape input

1 Answers1