Python: get SQL escape string

Question

Python: get SQL escape string

When I have a cursor, I know that I can safely execute the request as follows:

cur.execute("SELECT * FROM foo WHERE foo.bar = %s", (important_variable,))

Is there a way to just get the string safely without executing the query? For example, if important_variableis a string, for example "foo 'bar' \"baz", I would like it to be appropriately escaped:

"SELECT * FROM foo WHERE foo.bar = "foo \'bar\' \"baz"

(or whatever happens, I'm not even sure).

I am using psycopg and sqlobject.

+3

python database postgresql sqlobject

Claudiu Jun 24 '10 at 16:05

source share

3 answers

, , , : (Python DB API/Psycopg2)

+1

spookylukey 24 . '10 16:14

SQLObject handles escaping / quoting, but if you want to use this function:

from sqlobject.converters import sqlrepr
print(sqlrepr('SELECT * FROM foo WHERE foo.bar = "foo \'bar\' \"baz', 'postgres'))

Result:

'SELECT * FROM foo WHERE foo.bar = "foo ''bar'' "baz'

0

phd May 07, '17 at 21:27

source share

Rob kruus · Accepted Answer · 2010-06-24T17:22:23+0000

Look at the mogrify method for cursors - it will return the string after binding the variable and show any quote from it.

cur.mogrify("SELECT * FROM foo WHERE foo.bar = %s", ("foo 'bar' \"baz",))

Python: get SQL escape string

More articles: