[mod_python] addSlashes() in python, sql cgi question

Mike Looijmans mike.looijmans at asml.com
Fri Jun 6 07:53:21 EST 2003

If you use MySQL, just use the "escape" function:

# Quote a string for the database. Returns "NULL" for empty strings.
def dbescape(val):
    if val:
        return MySQLdb.string_literal(val)
        return "NULL"

Now you can do:

db.cursor().execute("INSERT INTO foo (foo_id, name) VALUES (%s, %s)" %
(foo_id, dbescape(form['fooname'].value))

You can use this function for anything you like.

Note that this also makes this stuff a lot more secure: Your application must
be able to cope with a user typing
hi" ; DROP DATABASE monty;

For many other database engines, you can used parameterized (a.k.a.
pre-compiled) queries, a query that is sent to the DBMS with some open
parameters which can be re-used several times with varying parameters. This
eliminates query optimization overhead. These may also offer a performance

By the way, does MySQL support this? I've done this quite often with many
databases and clients (Delphi for example), and it makes a huge performance

Mike Looijmans
Private: http://www.milosoftware.com

-----Original Message-----
From: Irene Ponti <ireneponti at yahoo.com>
To: mod_python at modpython.org <mod_python at modpython.org>
Date: Thursday, June 05, 2003 7:53 PM
Subject: [mod_python] addSlashes() in python, sql cgi question

>Hi to all
>I have to put into a SQL database the content of some
>variables coming from an Internet form.
>If this variables have some caracters as ' or "
>inside, the sql server return an error because the
>query is not in correct sintax.
>Now in php exist a standard function that add slashes
>in front of ' or " in a variable and another that
>remove slashes.
>Is there in python a function like this?
>Thank you.
>Do you Yahoo!?
>Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
>Mod_python mailing list
>Mod_python at modpython.org

More information about the Mod_python mailing list