Converting to sql style string

Question

I have 3 variables:

var1="abc"
var2="def"
sqlPrefix = "select x,y in myTable where myVar in "

I want to create a string of ('abc','def'), so I can directly concatenate that to the end of sqlPrefx, so my final string is select x,y in myTable where myVar in ('abc','def')

Use SQL parameters; do not interpolate values into the string. — Martijn Pieters, Aug 26 '13 at 22:32

score 2 · Accepted Answer · edited May 23 '17 at 12:29

2

Generally speaking, in order to avoid sql injections you shouldn't construct sql queries manually like this.

But, just FYI, here's how you ~~can~~ shouldn't do it:

sqlPrefix = "select x,y in myTable where myVar in ('%s', '%s')" % (var1, var2)

Also, see: How to use variables in SQL statement in Python?

edited May 23 '17 at 12:29

Community

1
1

answered Aug 26 '13 at 22:32

alecxe

441,113
110
1,021
1,148

I'd say **mustn't** instead of **shouldn't** – Antti Haapala -- Слава Україні Aug 27 '13 at 07:14

Converting to sql style string

1 Answers1