Is there someone who knows how I can put an input variable (user input) in a SQLQuery in Python?
x = str(input("some text"))
sqlQuery = "SELECT * FROM tblname WHERE columname = x "
Thank you very much!
Asked
Active
Viewed 120 times
-1
VB1
- 21
- 3
-
What about concatenate your string and the user input ? – Grechka Vassili May 26 '17 at 09:47
-
Learn about prepared statements – Jens May 26 '17 at 09:48
-
https://stackoverflow.com/questions/902408/how-to-use-variables-in-sql-statement-in-python – apomene May 26 '17 at 09:48
-
https://stackoverflow.com/questions/1947750/does-python-support-mysql-prepared-statements – Christian König May 26 '17 at 09:48
1 Answers
0
you could concatenate the strings, Be aware however, that this leaves you vulnerable for SQL injection.
which would make your example
x = str(input("some text"))
sqlQuery = ("SELECT * FROM tblname WHERE columname = " + x)
or, a more readable version
sqlQuery = "SELECT * FROM tblname WHERE columname = %s" % (x)
Ron
- 155
- 12
-
1
-
you should handle that in the input, the question was how to enter a variable in the query, i agree that you should sanetize your inputs, but that wasn't the question – Ron May 26 '17 at 09:52
-
1I agree with @apomene, you should add a warning, since examples tend to get copy&pasted without thinking about (or even knowing) the implications. Also your example _does_ include the user input... ;-) – Christian König May 26 '17 at 09:53