So is this : cursor.execute(Insert INTO visit (pid, date, diagnosisid) VALUES (%s,%s,%s), (pid, date,

Question

Asked: May 29, 20262026-05-29T04:03:37+00:00 2026-05-29T04:03:37+00:00

So is this :

cursor.execute("Insert INTO visit (pid, date, diagnosisid) VALUES (%s,%s,%s)",
(pid, date, diagnosisid))

enough or do I need :

cursor.execute("Insert INTO visit (pid, date, diagnosisid) VALUES (%s,%s,%s)",
(escape_string(pid), escape_string(date), escape_string(diagnosisid)))

?

You must login to add an answer.

Need An Account,

Editorial Team · Answer 1 · 2026-05-29T04:03:38+00:00

Editorial Team

The first one is enough; the second one would double your efforts, replacing e.g. " with \". You can test it yourself with

>>> c.execute("SELECT %s, %s", ('"', MySQLdb.escape_string('"')))
1L
>>> c.fetchall()
((u'"', u'\\"'),)

So you see that the 2nd version would produce an unneeded \ before the ". So the first one is ok.

The Archive Base Latest Questions