The problem is the various databases quote things differently, and DB-API does little to standardize this. DB-API defines a high-level substitution placeholder ('?' or '%s' or '%(name)s' according to the database -- already a violation of One Way To Do It) but does not define a low-level escaping. Additionally, there are two kinds of escaping: one that puts quotes around non-numeric values (suitable for literals) and one that doesn't (suitable for table names, database names, functional expressions, etc -- although I think MySQL allows quoted table/database names). You are encouraged to write: WHERE my_field >= %s and let it worry about the quoting. It works for ordinary strings, numbers, and None, and generally works with dates. But if the value is a built-in expression like 'CURRENT_TIMESTAMP', or you're trying to convert a list to an IN expression, it doesn't work. I finally found an undocumented escape() function in MySQdb and wrote a Python function that does what I think it does (replace "'" with "\'" inside quotes) -- but that's a database-specific implementation issue DB-API is supposed to avoid. And if I want to make SQL that's fully portable between MySQL, SQLite, and PostgreSQL, no can do. Part of this is the various incompatible SQL syntaxes, and part is the incompatible placeholder syntaxes. -- Mike Orror