See for example https://github.com/FedericoCeratto/bottle-cork/blob/3690357e79921ada3088abe9791b0d2af531656c/cork/sqlite_backend.py#L86 We should instead use parametrized queries.