Need help on how to include single quotes on data of variable string

[deanhystad]

Your query is constructed incorrectly. Somewhere online you probably saw something like this:

query1 = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
query2 = "SELECT * FROM stocks WHERE symbol = '{}'".format(symbol)

Usually when I see a query formed like this I see it preceded by a comment.

# Never do this -- insecure!
query1 = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol
query2 = "SELECT * FROM stocks WHERE symbol = '{}'".format(symbol)

This kind of code leaves you open to an sql injection attack where an unscrupulous user could enter code in place of a valid symbol.

Instead of using string formatting, you should use placeholders and query parameters. In the example below, "stock_symbol" is a variable that references a stock symbol string that I want added to my query.

# Do this instead
query1 = "SELECT * FROM stocks WHERE symbol = ?"
cursor.execute(query1, (stock_symbol, ))
query2 = "SELECT * FROM stocks WHERE symbol = :symbol"
cursor.execute(query2, {"symbol": stock_symbol})

Your query mixed up the bad str.format() method that is susceptible to sql injection attacks with the recommended placeholders and query parameters method.

query2 = "SELECT * FROM trans WHERE PartNum = {}".format(current_partnum)
cursor.execute(query2,(current_partnum))

You use str.format() to replace {} with whatever is referenced by current_partnum. This is potentially dangerous and should be avoided, but his is only the first problem.

Next you use a query parameter when you execute the query. But there is no placeholder to receive the query parameter.

Finally you don't pass the query parameter correctly. This is a tuple (current_partnum, ). This is a vairable surrounded by parentheses (current_partnum). The trailing comma is required when a tuple contains only one itme.