As long as you are inserting your parameters with cursor.execute() as described in PEP-249, you should be safe. If you are building your own queries from user data, or using the % operator to insert parameter values, then SQL injection is possible, depending on how your application is designed.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I would like to know if MySQLdb is 'SQL Injection' safe? And what are the guide lines for creating an 'SQL Injection' safe application using MySQLdb?
Thanks,
Amit
As long as you are inserting your parameters with cursor.execute() as described in PEP-249, you should be safe. If you are building your own queries from user data, or using the % operator to insert parameter values, then SQL injection is possible, depending on how your application is designed.