sql-parametrized-query

I'm writing a little python script to help me automate the creation of mysql databases and associated accounts for my personal projects. Part of this script is a function that takes the database name as a string, then goes to create the database. def createDB(dbConn, dbName): import MySQLdb c = dbConn.cursor() query = """CREATE DATABASE %s;"""; c.execute(query, (dbName,)) This doesn't work because MySQL's CREATE DATABASE asks for the unquoted name of the database, as in CREATE DATAbASE test_db but my code that attempts to safely insert the user provided db name into the query creates: CREATE

I'm trying to get this Python MYSQL update statement correct(With Variables): cursor.execute ("UPDATE tblTableName SET Year=%s" % Year ", Month=%s" % Month ", Day=%s" % Day ", Hour=%s" % Hour ", Minute=%s" Minute "WHERE Server=%s " % ServerID) Any ideas where I'm going wrong? It should be : cursor.execute (""" UPDATE tblTableName SET Year=%s, Month=%s, Day=%s, Hour=%s, Minute=%s WHERE Server=%s """, (Year, Month, Day, Hour, Minute, ServerID)) You can also do it with basic string manipulation, cursor.execute ("UPDATE tblTableName SET Year=%s, Month=%s, Day=%s, Hour=%s, Minute=%s WHERE Server='

This question already has an answer here: Getting raw SQL query string from PDO prepared statements 16 answers In PHP, when accessing MySQL database with PDO with parametrized query, how can you check the final query (after having replaced all tokens)? Is there a way to check what gets really executed by the database? So I think I'll finally answer my own question in order to have a full solution for the record. But have to thank Ben James and Kailash Badu which provided the clues for this. Short Answer As mentioned by Ben James: NO . The full SQL query does not exist on the PHP side, because