MySQLdb - Escaping strings, unicode characters...

Apothem · 02-17-2011, 01:30 AM

So I read that I can using the cursor in such a way to escape strings:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'"))

And this will yield the same thing as something like:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = 'A Name with \'Quotes\''")

Am I correct? Will the prepared parameters always be safe? If not, in what cases will this fail? How do I "sanitize" the parameters so it will be "completely" safe before passing it as the prepared argument?

Also, is something like this supported in MySQLdb's execute:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = %(username)s", {'username':"A Name with 'Quotes'"})

Also, I was skimming around sites and read something related to unicode strings needing more "work" or something. What do I need to do so that unicode strings can be used for queries?

oesxyl · 02-17-2011, 10:31 PM

Quote:

Originally Posted by Apothem

So I read that I can using the cursor in such a way to escape strings:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'"))

And this will yield the same thing as something like:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = 'A Name with \'Quotes\''")

Am I correct? Will the prepared parameters always be safe? If not, in what cases will this fail? How do I "sanitize" the parameters so it will be "completely" safe before passing it as the prepared argument?

Also, is something like this supported in MySQLdb's execute:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = %(username)s", {'username':"A Name with 'Quotes'"})

Also, I was skimming around sites and read something related to unicode strings needing more "work" or something. What do I need to do so that unicode strings can be used for queries?

you can use _mysql.escape_string() to escape strings, see the table:

http://mysql-python.sourceforge.net/...l#introduction

about being 'safe', you need to validate every input which come from outside. I know this is very general but is hard to give a recipe without knowing what data you take from users.

best regards

Apothem · 02-17-2011, 11:33 PM

That did not really answer my questions.

I know of the escape_string method already, but I am asking if the prepared statements will escape it already. That is, if I wrote the following code:

Code:

cursor.execute("SELECT * FROM `table` WHERE `username` = %s", ("A Name with 'Quotes'",))

Will it escape the string automatically for me?

Plus the other question I had about prepared statements were not answered either...