2

I'm trying to insert a string into a SQLite Select statement in python. When I try this code:

cur.execute("SELECT * FROM DB WHERE employeeNum = '?'",(empNum,))

I get this error:

sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 0, and there are 1 supplied.

When I try this code:

cur.execute("SELECT * FROM DB WHERE employeeNum = '",empNum,"'")

I get this error: 

TypeError: function takes at most 2 arguments (3 given)

How do I query this string? Sorry I'm new to python. Any help would be greatly appreciated!

Fabian
  • 6,973
  • 2
  • 26
  • 27
user908759
  • 1,355
  • 8
  • 26
  • 48

1 Answers1

5

Do not use string formatting to insert query parameters into the query - this would make sql injections possible, you would have problems with characters that need to be escaped, with data type conversions etc.

Eliminate the quotes around ? and continue using parameterized query parameters:

cur.execute("SELECT * FROM DB WHERE employeeNum = ?", (empNum, ))

The quotes around ? made sqlite interpret ? as a string, not a placeholder.

Also see similar problem:

Community
  • 1
  • 1
alecxe
  • 462,703
  • 120
  • 1,088
  • 1,195