No - the execute
method will take care to escape the argument correctly. Thus, if t
is Robert'); DROP TABLE Students;--
, the full command that would be transmitted to the DB engine in the second case would be something like
SELECT * FROM stocks WHERE symbol='Robert\'); DROP TABLE Students;--'
which is secure (note the backslash).
EDIT: (Actually, do note the comment by CL)