I think maybe the proscription against "using string techniques for forming SQL queries" is being overblown. To me, it's totally fine to use string techniques to form the bones of a query, and then use bind variables to fill in the values. You just need to be aware of which variables you have control over, and which you do not. For example, it's kind of common to do something like
Code:
params = [val1]
query = "select count(*) from mytable where mycondition < %s"
if use_other_condition:
query += " and other_condititon = %s"
params.append[val2]
cursor.execute(query, params)
The %s is the general syntax that python's mysql and postgres libraries use. They substitute values in from the params list, safely. It is not possible to compromise the database in this way.
I think the proscription is against things of this type
Code:
query = "select count(*) from mytable where mycondition < '%s'" % (val1, )
which literally inserts the value into the query, without regard for quoting problems you might encounter, or, even worse
Code:
query = "select count(*) from %s" % (table_name, )
(where you, as the programmer, do not have control over table_name)
It is extremely common practice to build sql queries with strings, and it's definitely possible to do it in a completely safe manner. It's the building block of most ORM systems among other things.