User Input to mySQL database

newbie1 · Aug-25-2020, 12:57 PM

Hi,

I have some issues while writing my query and specially how to "secure" de user_input in the query
I'm trying to use the user input and pass it in a query to get some results.

I have this Error:

MySQLdb._exceptions.ProgrammingError
MySQLdb._exceptions.ProgrammingError: (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near \'%"user_input"%\n\t\t\t\t\t\tor f.family_address like %"user_input"%\n\t\t\t\t\t\tORDER BY family_name\' at line 3')

Any help to improve my code?

#home.html

    <p class="article-content"> 
      <div class="form_form">
      <form class="form" method="post" action="/search">
        <label for="user_input"></label>
        <input id="user_input" name="user_input" type="text">
        <input type = "submit" value = "send">
      </form>  
    </div>   
    </p>

#routes.py

@app.route('/search', methods=['GET', 'POST'])
def search():
    if request.method == "POST":
        user_input = request.form["user_input"]  

        cur = db.connection.cursor()

        query = ("SELECT f.family_name, f.family_description, f.family_address, f.family_phone FROM Family f WHERE f.family_name like "%+user_input+"% or f.family_address like "%"+user_input+"%" ORDER BY family_name")

        cur.execute(query)

        results = cur.fetchall()
        
        return render_template('search_results.html', user_input=user_input, results=results)
        
    else:

        return redirect(url_for('home'))

#search_results.html

{% extends "layout.html" %}
{% block content %}
<article class="media content-section">
  <div class="media-body">
    <div class="article-metadata">
      <h5><a class="mr-2" href="#">results for{{ user_input }}</a></h5>
    </div>
    <p class="article-content"><p>Family Name: </p>{{ results.name }}</p>
    <p class="article-content"><p>Family Description: </p>{{ results.description }}</p>
    <p class="article-content"><p>Address: {{ results.address }}</p>
    <p class="article-content"><p>Phone Number: {{ results.phone }}</p>
  </div>
</article>


<form>
  <input type="button" value="New Search" onclick="history.go(-1)">
</form>

{% endblock content %}

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Send email to gmail after user fill up contact form and getting django database updat	Man_from_India	0	2,125	Jan-22-2020, 03:59 PM Last Post: Man_from_India
	MySQL Database Flask	maurosmartins	0	1,827	Oct-03-2019, 10:56 AM Last Post: maurosmartins
	Download images generated by user input	one_of_us	0	2,516	Mar-26-2019, 07:58 AM Last Post: one_of_us
	How to format a datetime MySQL database field to local using strftime()	nikos	6	3,814	Feb-24-2019, 06:32 PM Last Post: nikos
	mysql database error	brecht83	1	5,048	Dec-14-2018, 01:25 PM Last Post: jeanMichelBain
	Flask: Cookies for Saving User Input ?	jomonetta	2	3,542	Nov-03-2018, 10:47 AM Last Post: j.crater
	[Flask] Create new project for add user,edit,delete,view users in python with mysql connector	chandranmanikandan	0	7,391	Oct-30-2018, 10:19 AM Last Post: chandranmanikandan
	Pulling any information from a dictionary with a user input	Darmanus	19	8,845	Nov-22-2017, 08:56 PM Last Post: Larz60+

User Input to mySQL database

User Panel Messages

Announcements