How to protect text when doing INSERT using MySQLdb
This query is easy, but when the text contains some quotes it doesn't work.
cursor.execute ("INSERT INTO text (text_key, language_id, text) VALUES ('%s', '%s', '%s')" % (key, language_id, text))
Wha开发者_运维技巧t is the best way to protect my text variable ?
Always pass the parameters separately from the query:
cursor.execute (
"INSERT INTO text (text_key, language_id, text) VALUES (%s, %s, %s)",
(key, language_id, text))
That way the quoting will be handled correctly.
What you are doing will lead to a SQL injection vulnerability. Pass the parametrized query as the first argument, and the sequence of values as the second argument.
精彩评论