Path: csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: "J.O. Aho" <user@example.net>
Newsgroups: comp.databases.mysql
Subject: Re: Escaping Strings
Date: Mon, 19 Aug 2024 11:24:06 +0200
Lines: 16
Message-ID: <ligh9mFb2hjU1@mid.individual.net>
References: <v748rm$tapm$2@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Trace: individual.net PHSd77SDf/I5O1WNEhyrPwBxjRx/MkG5huZxONqSVnUQWtnZBZ
Cancel-Lock: sha1:DwtAX/1aOYpxhaB27G2lh9HEUkQ= sha256:BcmaAOMTV/xg8RwSJ2abl+sCwi7s4bLjjRKV1EEzi1Q=
User-Agent: Mozilla Thunderbird
Content-Language: en-US-large
In-Reply-To: <v748rm$tapm$2@dont-email.me>
Xref: csiph.com comp.databases.mysql:7797

On 16/07/2024 00.46, Lawrence D'Oliveiro wrote:
> In standard SQL, backslashes have no special significance. String literals
> are delimited by single quotes, and any characters (except single quotes)
> are allowed in them; to include a single quote in the string, write it
> twice.
> 
> So in Python, this expression is sufficient to turn a string “s” into a
> standard SQL string literal:
> 
>      "'" + s.replace("'", "''") + "'"

I would looked into using parameterized queries, here is a python example
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/

-- 
  //Aho