Beware of SQL injection attacks.
See Exploits of a Mom.
In [1]:
# Do not do this.
# This sql template is vulnerable.
sql = "SELECT grade FROM stuff WHERE name = '%s';"
sql
Out[1]:
In [2]:
# Things works ok with nice input.
name = 'John'
sql % name
Out[2]:
In [3]:
# Do not do this.
# A malicious name can do bad things.
name = '''Robert'; DROP TABLE students;SELECT 'foo'''
sql % name
Out[3]: