[Twisted-Python] util.quote deprecated

Jean-Paul Calderone exarkun at divmod.com
Tue Mar 3 05:56:53 MST 2009


On Tue, 3 Mar 2009 13:17:48 +0100, Pet <petshmidt at googlemail.com> wrote:
>Hi,
>
>what is a proper way to escape user input in database query strings?
>I've used quote from twisted.enterprise.util, but it is deprecated now.
>Is there any other module for this purpose?

The proper way is with "bind parameters".  This keeps SQL separate from
data and removes the entire category of bugs due to misquoting.  The way
to use bind parameters is to pass the SQL string as a separate argument
from the SQL data.  Using DB-API 2.0, this means something like:

    cursor.execute("SELECT foo FROM bar WHERE baz = ?", (3,))

Using ADBAPI, it means something very similar:

    connpool.runQuery("SELECT foo FROM bar WHERE baz = ?", (3,))

Different database adapters use different syntaxes for the "?" part.  The
`paramstyle´ attribute of the DB-API 2.0 module tells you what syntax a
particular module uses.  See the DB-API 2.0 PEP
(< http://www.python.org/dev/peps/pep-0249/>) for details.

Jean-Paul




More information about the Twisted-Python mailing list