Quoting sql queries with the DB-API

Re: Quoting sql queries with the DB-API

snacktime wrote:[color=blue]
> I'm used to using the perl DBI and not very familiar with the python
> DB-API. I am using PyGreSQL. My question is what is the standard way
> to quote strings in sql queries? I didn't see any quoting functions
> in the DB-API docs. Is quoting handled internally by the PyGreSQL
> module?
>
> Also, is this a good way to use variables in an insert/update
> statement, or is there a better way?
>
> sql = "insert into test(a,b) values('%s','%s ')" % (a,b)
> cursor.execute( sql)[/color]

If you do it like this:

sql = "INSERT INTO test(a, b) VALUES(%s, %s)" # no quotes around the %s
cursor.execute( sql, (a, b))

Then the quoting will be handled automatically for you.

Re: Quoting sql queries with the DB-API

> > Also, is this a good way to use variables in an insert/update[color=blue][color=green]
> > statement, or is there a better way?
> >
> > sql = "insert into test(a,b) values('%s','%s ')" % (a,b)
> > cursor.execute( sql)[/color]
>
> If you do it like this:
>
> sql = "INSERT INTO test(a, b) VALUES(%s, %s)" # no quotes around the %s
> cursor.execute( sql, (a, b))
>
> Then the quoting will be handled automatically for you.[/color]

Ah makes sense, thanks for the tip that was exactly what I needed.

Chris