Escape string Python for MySQL
conn.escape_string()
See MySQL C API function mapping: http://mysql-python.sourceforge.net/MySQLdb.html
The MySQLdb library will actually do this for you, if you use their implementations to build an SQL query string instead of trying to build your own.
Don't do:
sql = "INSERT INTO TABLE_A (COL_A,COL_B) VALUES (%s, %s)" % (val1, val2)cursor.execute(sql)
Do:
sql = "INSERT INTO TABLE_A (COL_A,COL_B) VALUES (%s, %s)"cursor.execute(sql, (val1, val2))