Python Forum

Python Forum > Python Coding > General Coding Help > Problem Using SQL Placeholder In MySQL Query
Full Version: Problem Using SQL Placeholder In MySQL Query
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

AdeS

Jul-30-2021, 05:00 PM
(Jul-29-2021, 05:31 AM)ndc85430 Wrote: [ -> ]
(Jul-29-2021, 05:07 AM)Pedroski55 Wrote: [ -> ]
cur = conn.cursor()
    
# Select query 
cur.execute(f"SELECT studentnr, score FROM allstudentsAnswers{clas} WHERE weeknr = '{weeknr}'")
...

cur = conn.cursor()
    
# Select query 
cur.execute(f"SELECT * FROM tbl_colours WHERE pc_name = '{mycmb}'") 
output = cur.fetchall()

Please don't advise people to use string interpolation (or concatenation) in SQL queries as that is vulnerable to SQL injection. Parameterised queries are the correct way to do it, as they give the database a chance to validate the input.


Hi Pedroski55

I will try your solution but this is the one I found and it works a treat:

mysql = "SELECT * FROM tbl_colours WHERE pc_name = %(pc_name)s"

mycursor.execute(mysql, {'pc_name': mycmb})

Cheers

Pedroski55

Jul-31-2021, 12:19 AM
Glad to hear that!

For me, security is not an issue, I only have homework on my webpage.

I once asked on phphelp.com if they could show me an SQL injection attack to meltdown my database, but no one answered.

But I'm sure it is wise to consider security.

Check out the link I posted, here it is again.

Looks very good!
Pages: 1 2
Python Forum > Python Coding > General Coding Help > Problem Using SQL Placeholder In MySQL Query