Use % escapes in your SQL, but instead of using the % operator to do the substitution, pass the tuple of values as a second parameter to cursor execute. If you tell the db back end that this is a string, by using %s, then in will quote it properly so that it won't be interpreted as SQL, so that any embedded quotes are escaped, etc.
It is also possible to use named parameters and pass a dictionary. At one point this was broken in the SQLite back end, but has probably been fixed by now. I know from personal experience that it works with the PostgreSQL back end. Bill On Mon, Feb 21, 2011 at 5:44 AM, ju <julian.po...@gmail.com> wrote: > I need to construct a long SQL request to my database, but I'm not > sure how can I escape parameters correctly > > How can I explicitly escape parameters in SQL like cursor.execute() > does? > > Can you also give me an example what exactly this escaping have to do, > so I can test it? > > Is there any difference if you escape standard SQL request or database > function call? > > I need to create SQL like this one ... select * from > function_name(params_count, ARRAY[(param, param, param), (param, > param, param), (param, param, param)... > > Also here: > http://stackoverflow.com/questions/5064637/django-postgres-explicit-sql-parameters-escape > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-users@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
