How to use variables in SQL statement in Python?

by 
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))

Note that the parameters are passed as a tuple.

The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (%), because

  1. it does not do any escaping or quoting.
  2. it is prone to Uncontrolled string format attacks e.g. SQL injection.

More Related Contents:

  1. SQL / Pandas equivalent
  2. Pandas read_sql with parameters
  3. Pandas DENSE RANK
  4. How to put parameterized sql query into variable and then execute in Python?
  5. Not all parameters were used in the SQL statement (Python, MySQL)
  6. How can I get dict from sqlite query?
  7. pyodbc – How to perform a select statement using a variable for a parameter
  8. LEFT JOIN Django ORM
  9. Get data from pandas into a SQL server with PYODBC
  10. reading external sql script in python
  11. Python, SQLAlchemy pass parameters in connection.execute
  12. How to log all sql queries in Django?
  13. Python SQL query string formatting
  14. Pandas query function not working with spaces in column names
  15. How to get rows which match a list of 3-tuples conditions with SQLAlchemy
  16. Dynamic SQL Queries with Python and mySQL
  17. SQLAlchemy: how to filter date field?
  18. What is an efficient way of inserting thousands of records into an SQLite table using Django?
  19. SQL join or R’s merge() function in NumPy?
  20. Getting random row through SQLAlchemy
  21. Select NULL Values in SQLAlchemy
  22. python pandas to_sql with sqlalchemy : how to speed up exporting to MS SQL?
  23. Python and SQLite: insert into table
  24. How to check the existence of a row in SQLite with Python?
  25. How to quote a string value explicitly (Python DB API/Psycopg2)
  26. pyodbc the sql contains 0 parameter markers but 1 parameters were supplied’ ‘hy000’
  27. Pandas analogue to SQL MINUS / EXCEPT operator, using multiple columns
  28. VALUES clause in SQLAlchemy
  29. How to delete a record in Django models?
  30. flask sqlalchemy query with keyword as variable

Leave a Comment