Doctor code
Reputation: 11
Passing Safe Query Parameters with SQLite in Python
I am working on a project that uses a HTML text input to retrieve data from a SQLite database. The idea goes like this : the user types string representing a product number and I look into my database for that string.
I have tried to make my query safe for SQL injection as suggested in this tutorial because the data does not come from me.
cursor.execute("SELECT product_number FROM price_history WHERE product_number = %s';", (user_input, ))
However, when I try to execute my code, I get :
sqlite3.OperationalError: near "%": syntax error
Upvotes: 1
Views: 2166
Answers (1)
gmolnar
Reputation: 108
There's an extra ' after %s.
Read the first paragraphs of the python docs on sqlite3 that show the correct way to use placeholders.
cursor.execute("SELECT product_number FROM price_history WHERE product_number = (?)", (user_input, )) should work.
Upvotes: 1
Related Questions
- Injection safe "SELECT FROM table WHERE column IN list;" using python3 and sqlite3
- Python 3 sqlite parameterized SQL-query
- Safe variable string for variable sqlite column (python)
- Sanitizing SQLite Input
- SQLite query restrictions
- How to use SQL parameters
- Securely creating SQL statement in Python SQLite3 API
- Parameterized sql queries and safety
- sqlite3 python parameter passing issue
- Passing SQLite variables in Python