use parametrized query. look at the last example in the docs
https://pythonhosted.org/pymssql/pymssql...compliance
https://pythonhosted.org/pymssql/pymssql...compliance
cursor.execute('SELECT * FROM persons WHERE salesrep=%s', 'John Doe')Also the docs https://pythonhosted.org/pymssql/ref/pym...or.execute
Quote:Cursor.execute(operation)
Cursor.execute(operation, params)
operation is a string and params, if specified, is a simple value, a tuple, a dict, or None.
Performs the operation against the database, possibly replacing parameter placeholders with provided values. This should be preferred method of creating SQL commands, instead of concatenating strings manually, what makes a potential of SQL Injection attacks. This method accepts formatting similar to Python’s builtin string interpolation operator. However, since formatting and type conversion is handled internally, only the %s and %d placeholders are supported. Both placeholders are functionally equivalent.
Keyed placeholders are supported if you provide a dict for params.
If you call execute() with one argument, the % sign loses its special meaning, so you can use it as usual in your query string, for example in LIKE operator. See the examples.
You must call Connection.commit() after execute() or your data will not be persisted in the database. You can also set connection.autocommit if you want it to be done automatically. This behaviour is required by DB-API, if you don’t like it, just use the _mssql module instead.
If you can't explain it to a six year old, you don't understand it yourself, Albert Einstein
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs
How to Ask Questions The Smart Way: link and another link
Create MCV example
Debug small programs