Explore Courses Blog Tutorials Interview Questions
0 votes
in SQL by (20.3k points)

Ok, so I'm not that experienced in Python.

I have the following Python code:

cursor.execute("INSERT INTO table VALUES var1, var2, var3,")

where var1 is an integer, var2 & var3 are strings.

How can I write the variable names without python including them as part of the query text?

1 Answer

0 votes
by (40.7k points)

cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))

Note that hehe the parameters are passed as a tuple.

The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (%), because

It does not do any escaping or quoting.

It is prone to Uncontrolled string format attacks e.g. SQL injection.

Enroll yourself in the SQL server certification to learn in-depth about SQL statements, queries and become proficient in SQL.

You can refer to our Python online course for more information.

Related questions

Browse Categories