I have seen this question asked in various ways on this website, but none of them exactly addressed my issue.
I have an sql statement with single quotes inside it, and am trying to use recommended practices before making database queries with it. So the statement is like
val2="abc 'dostuff'"
sql="INSERT INTO TABLE_A(COL_A,COL_B) VALUES(%s,'%s')" %(val1, val2)
a_cursor.execute(sql)
However, when I run this, I get..
ProgrammingError: (1064,"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dostuff'.
What am I doing wrong? Thanks very much Nupur
Use parameters instead of string interpolation to ensure that your values are properly escaped by the database connector:
sql = "INSERT INTO TABLE_A(COL_A,COL_B) VALUES(%s, %s)"
a_cursor.execute(sql, (val1, val2))
The mysqldb sql parameter style uses the same syntax as used by the python string formatting operator, which is a little confusing.
来源:https://stackoverflow.com/questions/12902862/python-mysql-escaping-quotes