Traceback (most recent call last): File "test.py", line 190, in <module> cursor.execute(sql) sqlite3.OperationalError: near "s": syntax errorcode
Suppose name contains a single quote followed by a t, as in name = "don't look now" sql = "update foo set is_processed=1 where bar='"+name+"'" Then sql would equal In [156]: sql Out[156]: "update foo set is_processed=1 where bar='don't look now'" and sqlite3 will think the conditional is where bar='don' followed by a syntax error, t look now'. sqlite3 then raises sqlite3.OperationalError: near "t": syntax error This is an example of why you should always use parametrized SQL. To avoid this problem (and protect your code from SQL injection attacks), use parametrized SQL and pass a sequence (or, depending on the paramstyle, a mapping) of values as the second argument to cursor.execute: sql = "update foo set is_processed=1 where bar=?" cursor.execute(sql, [name]) When you pass arguments (such as [name]) as the second argument to cursor.execute, sqlite3 will escape the single-quote for you.