Mahesh Jaganiya
Reputation: 165
Error "not all arguments converted during string formatting" while inserting in Database MySQL
I have an SQL query which is giving an error:
cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`) VALUES (1,0,?,?,?)",(param1,param2,param3,))
I don't want to use %s in query because it is prone to SQL injection and I am taking input from users.
Upvotes: 1
Views: 58
Answers (1)
Alasdair
Reputation: 308889
mysqlclient uses %s as the placeholder (see the example in the docs).
Change your code to the following:
cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`) VALUES (1,0,%s,%s,%s)", (param1,param2,param3,))
You're right to be concerned about SQL injection, but the above is OK. You are still using execute with parameters, so they will be escaped.
The thing you shouldn't do is cur.execute(query % parameters, []). This is vulnerable to SQL injection.
Upvotes: 2
Related Questions
- MySQL db call: not all arguments converted during string formatting
- mysql insert code produced following error: Not all parameters were used in the SQL statement
- Python MYSQL Insert Issues : not enough arguments for format string
- TypeError: not all arguments converted during string formatting While inserting two python lists in Mysql
- Error:not all arguments converted during string formatting
- Keep getting error in trying to INSERT into MySQL
- TypeError: not all arguments converted during string formatting
- Error "TypeError: not all arguments converted during string formatting" MySQLdb
- TypeError: not all arguments converted during string formatting when inserting with parameters
- MySQL + Python: Not all arguments converted during string formatting