Groups | Search | Server Info | Login | Register
Groups > comp.databases > #18904
| From | Lawrence D'Oliveiro <ldo@nz.invalid> |
|---|---|
| Newsgroups | comp.databases |
| Subject | Quoting SQL Strings |
| Date | 2024-04-29 02:53 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <v0n23q$1gkpa$2@dont-email.me> (permalink) |
People see dynamic generation of SQL queries as some kind of black art.
“Use templates and prepared statements”, they say. “Fear the SQL injection
attack”, they say.
Turning a string value into a literal for use in an SQL query is really
very simple. In Python, this is all it takes:
"'" + s.replace("'", "''") + "'"
Back to comp.databases | Previous | Next | Find similar
Quoting SQL Strings Lawrence D'Oliveiro <ldo@nz.invalid> - 2024-04-29 02:53 +0000
csiph-web