[EMAIL PROTECTED] wrote:
> Hi All,
>
> I was wondering if there is a helper library out there that will nicely
> encode artibrary text so that I can put in into a TEXT field in a
> database and then retrieve it without getting into trouble with ',",new
> lines or other such things that would foul the sql insert call and or
> be a security hazard? This feels like a newbee type question, but I
> haven't found anything with a quick search.
Use paramtetrized cursor.execute(..) That is instead of doing
c.execute("insert into foo values ('%s')" % mytext)
do
c.execute("insert into foo values (?)", mytext)
Attention, the actual style of a parameter is dependand on your
database, e.g. oracle uses a differnet one:
c.execute("insert into foo values (:mytext)", dict(mytext=mytext))
The actual style to use is given in the docs, or can be queried with
connection.paramstyle
I recommend reading the DB-API 2.0 specs.
Diez
--
http://mail.python.org/mailman/listinfo/python-list
