Asked By – user111606
I have the following Python code:
cursor.execute("INSERT INTO table VALUES var1, var2, var3,")
var1 is an integer,
var3 are strings.
How can I write the variable names without Python including them as part of the query text?
Now we will see solution for issue: How to use variables in SQL statement in Python?
cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
Note that the parameters are passed as a tuple.
The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (
- it does not do any escaping or quoting.
- it is prone to Uncontrolled string format attacks e.g. SQL injection.