Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder Apothem's Avatar
    Join Date
    Mar 2008
    Posts
    380
    Thanks
    36
    Thanked 25 Times in 25 Posts

    MySQLdb - Escaping strings, unicode characters...

    So I read that I can using the cursor in such a way to escape strings:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'"))
    And this will yield the same thing as something like:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = 'A Name with \'Quotes\''")
    Am I correct? Will the prepared parameters always be safe? If not, in what cases will this fail? How do I "sanitize" the parameters so it will be "completely" safe before passing it as the prepared argument?

    Also, is something like this supported in MySQLdb's execute:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = %(username)s", {'username':"A Name with 'Quotes'"})

    Also, I was skimming around sites and read something related to unicode strings needing more "work" or something. What do I need to do so that unicode strings can be used for queries?
    Last edited by Apothem; 02-17-2011 at 10:54 AM.

  • #2
    Master Coder
    Join Date
    Dec 2007
    Posts
    6,682
    Thanks
    436
    Thanked 890 Times in 879 Posts
    Quote Originally Posted by Apothem View Post
    So I read that I can using the cursor in such a way to escape strings:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'"))
    And this will yield the same thing as something like:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = 'A Name with \'Quotes\''")
    Am I correct? Will the prepared parameters always be safe? If not, in what cases will this fail? How do I "sanitize" the parameters so it will be "completely" safe before passing it as the prepared argument?

    Also, is something like this supported in MySQLdb's execute:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = %(username)s", {'username':"A Name with 'Quotes'"})

    Also, I was skimming around sites and read something related to unicode strings needing more "work" or something. What do I need to do so that unicode strings can be used for queries?
    you can use _mysql.escape_string() to escape strings, see the table:

    http://mysql-python.sourceforge.net/...l#introduction

    about being 'safe', you need to validate every input which come from outside. I know this is very general but is hard to give a recipe without knowing what data you take from users.

    best regards

  • #3
    Regular Coder Apothem's Avatar
    Join Date
    Mar 2008
    Posts
    380
    Thanks
    36
    Thanked 25 Times in 25 Posts
    That did not really answer my questions.

    I know of the escape_string method already, but I am asking if the prepared statements will escape it already. That is, if I wrote the following code:
    Code:
    cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'",))
    Will it escape the string automatically for me?


    Plus the other question I had about prepared statements were not answered either...


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •