Error 1064 in Insert Statement, You have an error in your SQL syntax near

Question

Doing a flask experiment can't solve this MySQL problem, keep getting this error:

_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com,3)' at line 1")

This is my code for the query and also the submission to the database:

username = form.username.data
email = form.email.data
password = form.password.data
#TODO ENCRYPT PASSWORDS
cursor = mysql.connection.cursor()
query = "insert into Users
    values ('" + username+"',"''+email+"','"+password+"')"
cursor.execute(query)
mysql.connection.commit()
cursor.close()

I have tried all the solutions that were suggested in other questions but none of them have worked.

You have two single quotes before +email. There should only be one. P.S. You should be using prepared statements and parameterized queries otherwise you leave yourself open to SQL Injection attacks. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496 — Dijkgraaf, Feb 01 '18 at 23:40
If you used parameters, you would not have this sort of problem. — Gordon Linoff, Feb 01 '18 at 23:59

score 1 · Accepted Answer · answered Feb 01 '18 at 23:42

1

You have a typo here: values ('" + username+"',"''+email+"','"+password+"')" It should be: values ('" + username+"','"+email+"','"+password+"')"

answered Feb 01 '18 at 23:42

alanfcm

78
3

Error 1064 in Insert Statement, You have an error in your SQL syntax near

1 Answers1