Mysqldb (and other Python database modules) uses escaping by default if you use the execute function correctly.
Originally Posted by Gacha
The execute function has an optional second parameter. The first (required) is the sql, the second is for a value or a tuple of values to be inserted into the sql query.
When you do
it is the same as
and you are just supplying a readymade sql query generated with normal string interpolation which might lead to syntax errors and possibly security problems.
sqlquery = query%params
If you do
the execute function will take care of the string interpolation and make sure that dangerous characters are properly escaped.
cur.execute("SELECT * FROM mod_raw_text WHERE type='%s' ", "tex'tile")
which is a valid query, while
SELECT * FROM mod_raw_text WHERE type= 'tex\'tile'
cur.execute("SELECT * FROM mod_raw_text WHERE type='%s' "%"tex'tile")
which will lead to an SQL syntax error
SELECT * FROM mod_raw_text WHERE type= 'tex'tile'