问题
I have recently started to learn Python and MySQL for web purposes and I have run into a following problem :
I want to pull out from a mysql database one record that contains any text that I enter in param section, howerver I am running into following problem when making a query:
traceback (most recent call last):
File "/Users/Strielok/Desktop/test.py", line 13, in <module>
c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1" % (param))
TypeError: not enough arguments for format string
Here is my code:
import MySQLdb
db = MySQLdb.connect (host = "localhost",
user = "root",
passwd = "root",
db = "test")
param = "Test"
par = param
c = db.cursor()
c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1" % (param))
data = c.fetchall()
print data
c.close()
Thanks in advance.
回答1:
Directly inserting the data into the SQL string is not the best way to do this, as it is prone to SQL injection. You should change it to this:
c.execute("SELECT * FROM data WHERE params LIKE %s LIMIT 1", ("%" + param + "%",))
回答2:
Your not using a proper parameter. Python is expecting another qualifier in this area ('%s%___') in order to do a string substitution. This is also vulnerable code. The proper way to do this would look more like:
c.execute("SELECT * FROM data WHERE params LIKE '%%s%' LIMIT 1",(param,))
来源:https://stackoverflow.com/questions/10903497/python-mysqldb-where-sql-like