How to use variables in SQL statement in Python?

Question

Ok so I\'m not that experienced in Python.

I have the following Python code:

cursor.execute(\"INSERT INTO table VALUES var1, var2, var3,\")
<         


        

Answer 1

http://www.amk.ca/python/writing/DB-API.html

Be careful when you simply append values of variables to your statements: Imagine a user naming himself ';DROP TABLE Users;' -- That's why you need to use sql escaping, which Python provides for you when you use the cursor.execute in a decent manner. Example in the url is:

cursor.execute("insert into Attendees values (?, ?, ?)", (name,
seminar, paid) )