22.01.2016, 03:28
It's to prevent SQL injection.
Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).
http://www.w3schools.com/sql/sql_injection.asp
First thing you'll notice beyond that link:
An SQL Injection can destroy your database.
I think that's pretty clear and explains why you should escape strings on queries.
By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".
Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).
http://www.w3schools.com/sql/sql_injection.asp
First thing you'll notice beyond that link:
An SQL Injection can destroy your database.
I think that's pretty clear and explains why you should escape strings on queries.
By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".