Jan-10-2023, 06:44 AM
Your query is constructed incorrectly. Somewhere online you probably saw something like this:
Instead of using string formatting, you should use placeholders and query parameters. In the example below, "stock_symbol" is a variable that references a stock symbol string that I want added to my query.
Next you use a query parameter when you execute the query. But there is no placeholder to receive the query parameter.
Finally you don't pass the query parameter correctly. This is a tuple (current_partnum, ). This is a vairable surrounded by parentheses (current_partnum). The trailing comma is required when a tuple contains only one itme.
query1 = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol query2 = "SELECT * FROM stocks WHERE symbol = '{}'".format(symbol)Usually when I see a query formed like this I see it preceded by a comment.
# Never do this -- insecure! query1 = "SELECT * FROM stocks WHERE symbol = '%s'" % symbol query2 = "SELECT * FROM stocks WHERE symbol = '{}'".format(symbol)This kind of code leaves you open to an sql injection attack where an unscrupulous user could enter code in place of a valid symbol.
Instead of using string formatting, you should use placeholders and query parameters. In the example below, "stock_symbol" is a variable that references a stock symbol string that I want added to my query.
# Do this instead query1 = "SELECT * FROM stocks WHERE symbol = ?" cursor.execute(query1, (stock_symbol, )) query2 = "SELECT * FROM stocks WHERE symbol = :symbol" cursor.execute(query2, {"symbol": stock_symbol})Your query mixed up the bad str.format() method that is susceptible to sql injection attacks with the recommended placeholders and query parameters method.
query2 = "SELECT * FROM trans WHERE PartNum = {}".format(current_partnum) cursor.execute(query2,(current_partnum))You use str.format() to replace {} with whatever is referenced by current_partnum. This is potentially dangerous and should be avoided, but his is only the first problem.
Next you use a query parameter when you execute the query. But there is no placeholder to receive the query parameter.
Finally you don't pass the query parameter correctly. This is a tuple (current_partnum, ). This is a vairable surrounded by parentheses (current_partnum). The trailing comma is required when a tuple contains only one itme.