In a sane language that query might look something like
cursor.execute("select field from tbl where long_obtuse_column_name=:foo and status != :status", foo=query, status='open')
All parameters are properly escaped by the api of course, so even if foo is "'; drop table audit; " you don't have any problems.
In a sane language that query might look something like
cursor.execute("select field from tbl where long_obtuse_column_name=:foo and status != :status", foo=query, status='open')
All parameters are properly escaped by the api of course, so even if foo is "'; drop table audit; " you don't have any problems.