Is it best practice to avoid binding data using Python's string formatting functions due to SQL injection risk?

Binding data with parameterized queries is the safer, standard approach for including values in SQL. Building SQL by inserting values directly with Python's string formatting (or f-strings) mixes code and data, and any user-supplied input can alter the SQL itself, leading to SQL injection risks. Parameter binding sends the SQL statement with placeholders first, and the values are supplied separately by the driver. The database then treats those values strictly as data, applying proper escaping and typing, so the input cannot change the intended logic of the query. This not only prevents injection but also often improves performance through statement plan reuse when the same query runs with different values. In Snowflake with the Python connector, you typically provide the query with placeholders and pass the parameters separately, which enforces safe separation of code and data. So yes, it’s best practice to avoid Python string formatting for binding data due to SQL injection risk.