Julian Popov
Reputation: 17461
Django & Postgres explicit SQL parameters escape
I need to construct a long SQL request to my database, but I'm not sure how can I escape parameters correctly
How can I explicitly escape parameters in SQL like cursor.execute() does?
Can you also give me an example what exactly this escaping have to do, so I can test it?
Is there any difference if you escape standard SQL request or database function call?
Upvotes: 0
Views: 1958
Answers (1)
sjaensch
Reputation: 971
If you need to build your parameter list dynamically:
sql = "SELECT FROM foo WHERE bar='baz'"
param_list = []
for entry in loop_array:
sql = sql + "AND " + entry.key + " = %s"
param_list.append(entry.value)
cursor.execute(sql, param_list)
Upvotes: 1
Related Questions
- Django extra + where: how to escape identifiers
- Properly escaping strings in raw Django SQL query
- How can I prevent SQL injection in PYTHON-DJANGO?
- How to manually escape SQL literals in Python
- Python/MySQL: Escaping strings used as parameters in raw database queries
- Django and SQL Injection with example
- Django Raw Query with params on Table Column (SQL Injection)
- parameterized query Postgres for sql injection mitigation
- Is it possible to stop Django adding quotes around raw SQL params?
- SQL injection on django app