User Input to mySQL database

[newbie1]

your line 8

query = ("SELECT f.family_name, f.family_description, f.family_address, f.family_phone FROM Family f WHERE f.family_name like "%+user_input+"% or f.family_address like "%"+user_input+"%" ORDER BY family_name")

should raise an error

Error:
>>> user_input = 'SPAM'
>>> query = ("SELECT f.family_name, f.family_description, f.family_address, f.family_phone FROM Family f WHERE f.family_name like "%+user_input+"% or f.family_address like "%"+user_input+"%" ORDER BY family_name")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: bad operand type for unary +: 'str'

check the quotes. ALso note that what you do is prone to cause you problems. You should use parametrized query, not concatenate user input. this will open your code to sql injections


and there is no need of using brackets on this line

This is what I did but got a new Error and tried to fix it changing the position of "cur=db.connection.cursor()" but nothing

MySQLdb._exceptions.ProgrammingError
MySQLdb._exceptions.ProgrammingError: execute() first

@app.route('/search', methods=['GET', 'POST'])
def search():

    cur = db.connection.cursor()

    if request.method == "POST":
        
        user_input = request.form["user_input"]  

        cur.execute = ("SELECT f.family_name, f.family_description, f.family_address, f.family_phone FROM Shop f WHERE f.family_address LIKE %s ORDER BY family_name", ( "%" + user_input + "%",))

        results = cur.fetchall()
        
        return render_template('search_results.html', user_input=user_input, results=results)
        
    else:

        return redirect(url_for('home'))