-2

I keep getting the syntax error:

cur.execute('SELECT * FROM ' + table + ' WHERE Name = "%s";' %(name))

sqlite3.OperationalError: near "%": syntax error

msw
  • 42,753
  • 9
  • 87
  • 112
jordan corfield
  • 1
  • 1

1 Answers1

3

You aren't giving table a name
Use: 

table = "class%s" %(class_name)

instead of:

table = "class%s"

and don't specify result when updating the table as that is a string, use score instead.
I would like to reiterate what was said in one of the comments about string formatting, use the ? format instead, you are already partially doing that.

Edit concerning your comment about not knowing about string formatting.
This is string formatting: 

   cur.execute('UPDATE ' + table + ' WHERE Surname = "%s", WHERE Name = "%s", SET Score = "%s";'% (last_name, name, score))

and this is the preferred method, which you are already partially using:

   cur.execute('INSERT INTO ' + table + ' (Surname, Name, Score) VALUES (?, ?, ?)', (last_name, name, score))

As FallenAngel has pointed out using string formatting is open to SQL injection and is therefore frowned upon, as it's a security hole. The problem in this case is that tables can't be the target of parameter substitution, so you have a dilemma. Either you write your code with hard-coded table names or if that is not an option you need to at least test for a valid table name-
There is a way with sqlite3 to test for a valid table if you find yourself with this problem. 

table = "sometable"
mycursor.execute('SELECT name FROM sqlite_master where (name = ?)', [table])
row = mycursor.fetchall()
valid_table = False
if row:
    valid_table = True
if valid_table:
    (perform your sql statements here.......)
Rolf of Saxony
  • 21,661
  • 5
  • 39
  • 60
  • cheers that fixed that problem but now a new ones come up – jordan corfield Oct 16 '15 at 09:48
  • cur.execute('SELECT * from {0} WHERE Name = {1} ;'.format(table, name)) sqlite3.OperationalError: no such column: Bob – jordan corfield Oct 16 '15 at 09:48
  • Bob is the value of name – jordan corfield Oct 16 '15 at 09:49
  • 1
    Do not use string formatting for creating Sql queries! It is open to Sql Injection. – Mp0int Oct 16 '15 at 09:52
  • 1. That code isn't even in your question. 2. You haven't given the tables a primary key – Rolf of Saxony Oct 16 '15 at 10:00
  • @FallenAngel Isn't that what I said! – Rolf of Saxony Oct 16 '15 at 10:01
  • @RolfofSaxony passing table name is not a good way to go too. – Mp0int Oct 16 '15 at 10:04
  • @jordancorfield: limit your questions to one issue per question. If this answer fixes your issue then [mark it as accepted (tap the tick on the left)](http://stackoverflow.com/help/accepted-answer). Ask a new question for any new issue (you can link to previous questions for context but the question should be intelligible by itself). Unrelated: don't dump all the code you have, try to [create a minimal but complete code example instead](http://stackoverflow.com/help/mcve) – jfs Oct 16 '15 at 10:05
  • @FallenAngel 1. I'm just running with the supplied code and 2. as far as I know tables can't be the target of parameter substitution, unless you know different! ;) – Rolf of Saxony Oct 16 '15 at 10:17
  • @RolfofSaxony table names can not be passed as parameters to sql commands, that is right. but using string substitution for passing table names as variables is not discouraged and considered very bad. [Check this for example](http://stackoverflow.com/a/13793441/257972) – Mp0int Oct 16 '15 at 11:28
  • @FallenAngel string substitution of table name issue hopefully addressed – Rolf of Saxony Oct 19 '15 at 06:53
  • Ok. Downvote retracted. Upvote for fine explanation – Mp0int Oct 19 '15 at 07:40