0 votes
1 view
in SQL by (20.3k points)

Ok, so I'm not that experienced in Python.

I have the following Python code:

cursor.execute("INSERT INTO table VALUES var1, var2, var3,")

where var1 is an integer, var2 & var3 are strings.

How can I write the variable names without python including them as part of the query text?

1 Answer

0 votes
by (40.4k points)

cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))

Note that hehe the parameters are passed as a tuple.

The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (%), because

It does not do any escaping or quoting.

It is prone to Uncontrolled string format attacks e.g. SQL injection.

Related questions

Welcome to Intellipaat Community. Get your technical queries answered by top developers !