Path: csiph.com!news.swapon.de!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Lawrence D'Oliveiro Newsgroups: comp.databases Subject: Quoting SQL Strings Date: Mon, 29 Apr 2024 02:53:46 -0000 (UTC) Organization: A noiseless patient Spider Lines: 8 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Mon, 29 Apr 2024 04:53:47 +0200 (CEST) Injection-Info: dont-email.me; posting-host="04215bbbe15e1cd8ac94ba1cee5d62b8"; logging-data="1594154"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18wjzhDJeOGTH8l3wiU2gkZ" User-Agent: Pan/0.155 (Kherson; fc5a80b8) Cancel-Lock: sha1:4sQ/mdqU4eU4BqHT+U7uk8F8yOY= Xref: csiph.com comp.databases:18904 People see dynamic generation of SQL queries as some kind of black art. “Use templates and prepared statements”, they say. “Fear the SQL injection attack”, they say. Turning a string value into a literal for use in an SQL query is really very simple. In Python, this is all it takes: "'" + s.replace("'", "''") + "'"