On Tue, 3 Mar 2009 13:17:48 +0100, Pet <petshm...@googlemail.com> wrote:
Hi,
what is a proper way to escape user input in database query strings?
I've used quote from twisted.enterprise.util, but it is deprecated now.
Is there any other module for this purpose?
The proper way is with "bind parameters". This keeps SQL separate from
data and removes the entire category of bugs due to misquoting. The way
to use bind parameters is to pass the SQL string as a separate argument
from the SQL data. Using DB-API 2.0, this means something like:
cursor.execute("SELECT foo FROM bar WHERE baz = ?", (3,))
Using ADBAPI, it means something very similar:
connpool.runQuery("SELECT foo FROM bar WHERE baz = ?", (3,))
Different database adapters use different syntaxes for the "?" part. The
`paramstyle´ attribute of the DB-API 2.0 module tells you what syntax a
particular module uses. See the DB-API 2.0 PEP
(< http://www.python.org/dev/peps/pep-0249/>) for details.
Jean-Paul
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
