Python/MySQL query error: `Unknown column`
This script is meant to act as a command-line front-end to add records to a locally hosted MySQL database.
I am getting this error:
mysql.connector.err
-
The issue is here:
add_record = "INSERT INTO fruit (name, variety) VALUES (%s, %s)" % (new_fruit, new_fruit_type)Imagine the query this would produce:
INSERT INTO fruit (name, variety) VALUES (watermelon, something_else)Those values aren't values anymore! They look more like column references (
Unknown column 'watermelon' in 'field list')Instead, you should use prepared statements:
query = "INSERT INTO fruit (name, variety) VALUES (%s, %s)" cursor.execute(query, (new_fruit, new_fruit_type))This will automatically take care of the parameterization for you, and will prevent SQL Injection
讨论(0) -
"INSERT INTO fruit (name, variety) VALUES (%s, %s)" % ("watermelon", "melon")Literally becomes
INSERT INTO fruit (name, variety) VALUES (watermelon, melon)Instead of strings,
watermelonandmelonare columns. To fix this, put quotes around your%s."INSERT INTO fruit (name, variety) VALUES ('%s', '%s')" % (new_fruit, new_fruit_type)However, you should run it as:
cursor.execute("INSERT INTO fruit (name, variety) VALUES (%s, %s)", (new_fruit, new_fruit_type));Notice we took away the quotations around the
%sand are passing the variables as the second argument to theexecutemethod.Executeprevents sql injection from the variables as well as wraps strings in quotation marks.For more information, see http://mysql-python.sourceforge.net/MySQLdb.html#some-examples
讨论(0)
加载中...
- 热议问题