Originally Posted by
steve.horsley
In MySQL, MySQLdb.connect() returns a Connection object that has an excape_string() method that does the escaping for you.
And I just realised that you need to esacpe the backspace in the command I gave you, so it should be:
inputString.replace("'", "\\'")
but of course you really should use the library function.
in pysqlite library there is no escaping method in Connection class. And that codeline doesn't work either. Believe me, I have tested all possible and impossible lines. But you are right, I should do this with library functions...
Code:
>>> s = "It's nice to have an example"
>>> s.replace("'", "\\'")
"It\\'s nice to have an example"
>>> s.replace("'", "\'")
"It's nice to have an example"
>>> s.replace("'", "\\\'")
"It\\'s nice to have an example"
Since the sql and parameters are now separate it's possible for the library to take care of escaping.
Ok thanks, I have to test this one.
Bookmarks