开发者

How to protect text when doing INSERT using MySQLdb

开发者 https://www.devze.com 2023-01-08 23:40 出处：网络

This query is easy, but when the text contains some quotes it doesn\'t work. cursor.execute (\"INSERT INTO text (text_key, language_id, text) VALUES (\'%s\', \'%s\', \'%s\')\" % (key, language_id, te

相关专题：python

This query is easy, but when the text contains some quotes it doesn't work.

cursor.execute ("INSERT INTO text (text_key, language_id, text) VALUES ('%s', '%s', '%s')" % (key, language_id, text))

Wha开发者_运维技巧t is the best way to protect my text variable ?

Always pass the parameters separately from the query:

cursor.execute (
    "INSERT INTO text (text_key, language_id, text) VALUES (%s, %s, %s)",
    (key, language_id, text))

That way the quoting will be handled correctly.

What you are doing will lead to a SQL injection vulnerability. Pass the parametrized query as the first argument, and the sequence of values as the second argument.