[EMAIL PROTECTED] wrote: > I was wondering if there is a helper library out there that will nicely > encode artibrary text so that I can put in into a TEXT field in a > database and then retrieve it without getting into trouble with ',",new > lines or other such things that would foul the sql insert call and or > be a security hazard?
don't ever use string formatting to add values to an SQL statement. the right way to pass variables to the database engine is to use para- meters (aka bound variables): cursor.execute( "insert into table (col1, col2) values ?, ?", value1, value2 ) the exact marker depends on the database; use the paramstyle attribute to figure out what's the right parameter marker to use for your database. see the DB-API 2 spec for more information: http://www.python.org/peps/pep-0249.html </F> -- http://mail.python.org/mailman/listinfo/python-list