How to parameterize the frappe.db.sql call?

Hi guys,

I need to use some complex syntax hence the basic Database API is not usable, so i need to use frappe.db.sql to execute a raw sql statement ?.

But I can’t find how to parameterize the SQL statement in the official documentation. I know i can use string interpolation, but it’s not good due to security vulnerabilities (SQL injection ?)

Thank you alot

use frappe.db.sql(query, params)

first param is query as string,
second param is values tuple.

1 Like