对参数字符转义：

def escape_string(value, mapping=None):
    """escape_string escapes *value* but not surround it with quotes.


    Value should be bytes or unicode.
    """
    if isinstance(value, unicode):
        return _escape_unicode(value)
    assert isinstance(value, (bytes, bytearray))
    value = value.replace('\\', '\\\\')
    value = value.replace('\0', '\\0')
    value = value.replace('\n', '\\n')
    value = value.replace('\r', '\\r')
    value = value.replace('\032', '\\Z')
    value = value.replace("'", "\\'")
    value = value.replace('"', '\\"')
    return value

执行sql的正确方法，不要在sql中拼接参数，字符转义只会针对参数args

query作为sql模板，args为将要传入的参数

execute(query, args=None)

python防sql注入函数

query作为sql模板，args为将要传入的参数