We don't construct the database queries using the string formatting due to security problems. SQL injection attacks stem from lack of escapes and building queries from given strings.

We use parameter passing to database engine, e.g.


SELECT * FROM people WHERE name = ?



and use this query and pass the parameters /separately/ to the database. All databases support this kind of queries.

In Sqlite 3 under Python, we use


query="SELECT * FROM people WHERE name = ?"
params=(name,)
db_result = cursor.execute(query, params)



However, when debugging the queries, we may need to see the actual queries sent to the database. (e.g. when the data types may be important, when we need to have integer values for a column but get string values etc.)

In these cases, instead of constructing the query, we can use a switch in Python (> 3.3)

connection.set_trace_callback(print)


The argument is any function, or None to disable the tracing. So it's possible to use this with the logging module as well.