People see dynamic generation of SQL queries as some kind of black art.
“Use templates and prepared statements”, they say. “Fear the SQL injection
attack”, they say.

Turning a string value into a literal for use in an SQL query is really
very simple. In Python, this is all it takes:

"'" + s.replace("'", "''") + "'"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)