You are also able to parameterize statements:
...
cursor.execute("select * from Throughput where DeviceName = ?", data['DeviceName'])
...
This a better approach for the following reasons:
- Protection against SQL injection (you should always validate user input regardless of whether parameterized or dynamic SQL is used)
- You don’t have to worry about escaping where clause values with single quotes since parameters are passed to the database separately
- SQL is prepared once, subsequent executions of the query use the prepared statement instead of recompiling