tags:

views:

176

answers:

3
+1  Q: 

Escaping chars in Python and sqlite

Hi, I have a python script that reads raw movie text files into an sqlite database.

I use re.escape(title) to add escape chars into the strings to make them db safe before executing the inserts.

Why does this not work:

In [16]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='\'Allo\ \'Allo!\"\ (1982)'") --------------------------------------------------------------------------- OperationalError
Traceback (most recent call last)

/home/rajat/Dropbox/amdb/ in ()

OperationalError: near "Allo": syntax error

Yet this works (removed \' in two places) :

In [17]: c.execute("UPDATE movies SET rating = '8.7' WHERE name='Allo\ Allo!\"\ (1982)'") Out[17]:

I can't figure it out. I also can't ditch those leading quotes because they're actually part of the movie title. Thank you.

+5  A: 

You're doing it wrong. Literally. You should be using parameters, like this:

c.execute("UPDATE movies SET rating = ? WHERE name = ?", (8.7, "'Allo 'Allo! (1982)"))

Like that, you won't need to do any quoting at all and (if those values are coming from anyone untrusted) you'll be 100% safe (here) from SQL injection attacks too.

Donal Fellows  2010-07-10 16:48:42
absolutely. quoting and escaping are last-resource kludges. if parameters are available, use them _always_
Javier  2010-07-10 17:06:26
BTW, the same idea works just as well for pretty much every other database worth the name out there too, and in virtually every other practical programming language. *Everyone* does it this way because it is *right*.
Donal Fellows  2010-07-10 17:27:01
Awesome thanks Donal. All working well now. I'd used similar methods with RoR, where it is well documented. But hours of searching for "python sqlite escape characters" yielded nothing. python docs leave a lot to be desired. Thanks Donal and all
rajat  2010-07-10 20:20:06
@rajat: No idea what I searched for (might have even just been `python sqlite example` and working through the top hit) since I've had a browser crash since then. :-/
Donal Fellows  2010-07-10 20:23:00
+3  A: 

I use re.escape(title) to add escape chars into the strings to make them db safe

Note that re.escape makes a string re-safe -- nothing to do with making it db safe. Rather, as @Donal says, what you need is the parameter substitution concept of the Python DB API -- that makes things "db safe" as you need.

Alex Martelli  2010-07-10 17:08:09
A: 

SQLite doesn't support backslash escape sequences. Apostrophes in string literals are indicated by doubling them: '''Allo ''Allo! (1982)'.

But, like Donal said, you should be using parameters.

dan04  2010-07-13 05:47:14

related questions

SQLite3::BusyException
How do I dump the data of some SQLite3 tables?
Database functionality with WPF app: SQLite, SQL CE, other?
SQLite UDF - VBA Callback
JavaScript sqlite
SQLite/PHP read-only?
Is there a MySQLAdmin or SQL Server Management Studio equivalent for SQLite databases on Windows?
What are the advantages of VistaDB
How Scalable is SQLite?
Programmatically access browser history
SQL Pagination
Metalanaguage to describe the Model from MVC to generate identical client and server side code
Java and SQLite
Is there a good IDE for SQLite ?
Does Visual Studio Server Explorer support custom database providers?
Objective-C: Passing around sets of data
What is the best way to connect and use a sqlite database from C#
Quick easy way to migrate SQLite3 to MySQL?
Why does sqlite3-ruby-1.2.2 not work on OS X?
T-Sql date format for seconds since last epoch / formatting for sqlite input
What's the best way of converting a mysql database to a sqlite one?
SQLite vs MySQL
Using SQLite with Visual Studio 2008 and Silverlight
Adobe Air - Using multiple SQLite databases at once
SQLite and XSD