How to protect text when doing INSERT using MySQLdb

This query is easy, but when the text contains some quotes it doesn't work.

cursor.execute ("INSERT INTO text (text_key, language_id, text) VALUES ('%s', '%s', '%s')" % (key, language_id, text))

Wha开发者_运维技巧t is the best way to protect my text variable ?

Always pass the parameters separately from the query:

cursor.execute (
    "INSERT INTO text (text_key, language_id, text) VALUES (%s, %s, %s)",
    (key, language_id, text))

That way the quoting will be handled correctly.

What you are doing will lead to a SQL injection vulnerability. Pass the parametrized query as the first argument, and the sequence of values as the second argument.