python and sqlite - escape input

About

Asked 17/10, 2010 at 8:27 Answered 17/10, 2010 at 8:30

When using Python with SQLite DB, how to escape the data going in and pulling the data coming out?

Using pysqlite2

Kiger answered 17/10, 2010 at 8:27 Comment(0)

Use the second parameter args to pass arguments; don't do the escaping yourself. Not only is this easier, it also helps prevent SQL injection attacks.

cursor.execute(sql,args)

for example,

cursor.execute('INSERT INTO foo VALUES (?, ?)', ("It's okay", "No escaping necessary") )

Fossa answered 17/10, 2010 at 8:30 Comment(2)

Thanks, I wasn't sure of the python way, I am well aware of SQL attacks which is why I am trying to find best way in python. Thanks, will see if there is any more comments on this and give it a go. – Kiger 17/10, 2010 at 8:35

@Wizzard, unutbu is right, this works and will save you a lot of headache. For the other part of your question: pysqlite2 will return to you the objects from the DB in the right format, so you can directly use them as int, float, string, datetime,... – Chak 17/10, 2010 at 8:47

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags