How to use variables in SQL statement in Python?

前端 未结 4 1126
后悔当初
后悔当初 2020-11-21 05:36

Ok so I\'m not that experienced in Python.

I have the following Python code:

cursor.execute(\"INSERT INTO table VALUES var1, var2, var3,\")
<         


        
4条回答
  •  别跟我提以往
    2020-11-21 06:00

    cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
    

    Note that the parameters are passed as a tuple.

    The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (%), because

    1. it does not do any escaping or quoting.
    2. it is prone to Uncontrolled string format attacks e.g. SQL injection.

提交回复
热议问题