Hey all, I'm getting an error
OperationalError: (1054, "Unknown column 'XX' in 'where clause'")
Where XX is the value of CLASS in the following code
conn = MySQLdb.connect(host = "localhost",user = "user", passwd = "pass",db = "dbase")
cursor = conn.cursor()
cursor.execute("""SELECT * FROM %s WHERE course =%s AND sec = %s""" % (str(DEPT),str(CLASS),str(SEC),))
The thing is, I only get this error with certain values, namely, when CLASS contains a letter. I have the table set up as varchar if that helps
Thanks!
Don't use "string injection" into your SQL except for cases where it's truly indispensable, such as the str(DEPT)
here to choose what table you're selecting from. For every other case, use the parameter passing feature of the Python DB API instead -- it will quote things properly for you and automatically defend you against "SQL injection" attacks, among other things. (It can also be faster, sometimes).
Since MySQLdb uses the unfortunate notation %s
for parameters, here's what you should do (also fixing the style to be PEP8-compliant, not required but can't hurt;-):
conn = MySQLdb.connect(host="localhost", user="user", passwd="pass", db="dbase")
cursor = conn.cursor()
q = 'SELECT * FROM %s WHERE course=%%s AND sec = %%s""" % (DEPT,)
cursor.execute(q, (CLASS, SEC))
The %%
s in the string formatting which produces q
become a single %
each upon formatting, so q
is left with two occurrences of %s
-- which the execute
fills in neatly with correctly formatted versions of CLASS
and SEC
. All the str
calls are redundant, etc.
As an aside, if you're on Python 2.6 or later, for string formatting you should use the new format
method instead of the old %
operator -- that saves you from the need for those "doubled up % signs", among other advantages. I haven't applied that change in the above snippet just in case you're stuck with 2.5 or earlier (so the code above works in any version of Python, instead of just in reasonably recent ones).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With