1

I understand from the following post that Python equivalent of mysql_real_escape_string can be tested using two lines of code that can be found on the following stack link. I can not get the desired output so I figured I would reopen the discussion for help on my isolated matter.

Related stack overflow link:

Python equivalent of mysql_real_escape_string, for getting strings safely into MySQL?

Why would those two lines of code work for someone but not on my machine?

root@dev:~# python
Python 2.7.10 (default, Oct 14 2015, 16:09:02)
[GCC 5.2.1 20151010] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import MySQLdb
>>> MySQLdb.escape_string("'")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: must be impossible<bad format char>, not str
Community
  • 1
  • 1
Ben McNeill
  • 11
  • 2

1 Answers1

1

The answer in that first question could not be more wrong. You should just be using the builtin parameter passing argument to the DB api.

cursor.execute("INSERT INTO candidate (name, address) VALUES  (?,?)",
                (v_dict['name'], v_dict['address']))

It will safely escape the parameters for you.

Chad S.
  • 6,252
  • 15
  • 25
  • Why do you think I am getting that error though? It will not accept the string! – Ben McNeill Nov 24 '15 at 00:13
  • no idea, it's a wrapper around a C function, and the [mysql dev documentation](http://dev.mysql.com/doc/refman/5.7/en/mysql-escape-string.html) says 'Do not use this function', so.... – Chad S. Nov 24 '15 at 00:47
  • I am not using that function! I am using real_escape_string. Call me crazy but the MySQLdb User's Guide http://mysql-python.sourceforge.net/MySQLdb.html states that mysql_real_escape_string() = conn.escape_string() – Ben McNeill Nov 24 '15 at 11:58