On Tue, 18 Apr 2006, Lukasz Szybalski wrote:
SNIP
> Ok guys, thanks for help. I finally search for how to scape strings and i
> used:
>
> "insert into table(id,body) values ('%d',"'''"%s"'''")"%(id,body)
>
> where "'''" on each side of s = double quote + 3x single quote+ double quote
as andy dustman said
Don't do that. It'll work right up until you have a string with quotes
or \x00 bytes in it. Then bad things will happen. How bad depends on
where body comes from (think SQL injection attacks).
> c.execute(INSERT INTO table_x (body) VALUES(%s)", (body))
Do that instead. Special characters will be escaped.
cheers
_______________________________________________
DB-SIG maillist - [email protected]
http://mail.python.org/mailman/listinfo/db-sig
