Beware of SQL injection attacks.
See Exploits of a Mom.
# Do not do this.
# This sql template is vulnerable.
sql = "SELECT grade FROM stuff WHERE name = '%s';"
sql
"SELECT grade FROM stuff WHERE name = '%s';"
# Things works ok with nice input.
name = 'John'
sql % name
"SELECT grade FROM stuff WHERE name = 'John';"
# Do not do this.
# A malicious name can do bad things.
name = '''Robert'; DROP TABLE students;SELECT 'foo'''
sql % name
"SELECT grade FROM stuff WHERE name = 'Robert'; DROP TABLE students;SELECT 'foo';"