How to properly escape strings when manually building SQL queries in SQLAlchemy?

Question

I am using SQLAlchemy to connect to different databases in Python, but not with the ORM support as this cannot be implemented due to several reasons.

Mainly I do build a

Answer 1

You can use escape_string method from pymysql and then escape : so SQLAlchemy won't try to bind parameter for that variable, here is the sample

import MySQLdb
query = """ insert into.... values("{}"...) """.format(MySQLdb.escape_string(item).replace(':','\:'))

Note that if you use this way your code vulnerable to SQL Injection to install pymysql

pip3 install pymysql