Bind parameters#

In order to paramterise a query you should use binding parameters and avoid string formatting. This is particularly important with user input as string formatting may leave you vulnerable to SQL injection attacks.

Quart-DB only supports keyword bind parameters with the latter utilising buildpg for postgresql databases. The Quart-DB connection instance methods accept a query (str) and a collection of values as arguments.

A UndefinedParameterError will be raised if a parameter is specified in the query without a parameter being provided.

Keyword binds#

Keyword binds are so called as the values are taken by key-name, and hence should be supplied via a dictionary.

await connection.execute(
    "SELECT * FROM tbl WHERE a = :a AND b = :b",
    {"a": 1, "b": 2},