0

In my python app getting data from DB by the below query,

cur = connM.cursor()
cur.execute("SELECT * FROM users WHERE useremail = '{}' ".format(userEmail)) 
user_record = cur.fetchall()

and from the response user_record, I am trying to get the only value which is in index 3 like below ;

value = [item[2] for item in user_record]

in user_record, I have the below value when I print it,

[(3, 'test@gmail.com', '00000000', 'Test', 'Test', '1234', '123456')]

however in value when I am printing it I am seeing below,

['00000000']

how I can assign a pure string value to the variable so I can use it after that in some conditions like;

if value == "00000000":
..
..
Mushamba
  • 3
  • 1
  • **Never** use python's formatting to construct SQL queries. You're asking for SQL injections. This example you've provided is absolutely 100% insecure. – Ted Klein Bergman May 04 '22 at 08:53
  • what can be your advice here? – Mushamba May 04 '22 at 09:03
  • To not use them! Depending on what library you're using, there should exist a way to construct [*parameterized queries*](https://stackoverflow.com/questions/4712037/what-is-parameterized-query). In psycopg, you can do [this](https://www.psycopg.org/psycopg3/docs/basic/params.html) for example. – Ted Klein Bergman May 04 '22 at 09:23
  • Ok thx, i will have a look – Mushamba May 04 '22 at 09:40

1 Answers1

0

fetchall returns a list of tuples of query result. To get the third element and also to do the comparison you can either iterate over the user_record and access the 2nd index.

for item in user_record:
    if item[2] == "00000000":
        # TODO

or If you are sure that the result will always contains single element, you can directly index the element,

if user_record[0][2] == "00000000":
    pass
Abdul Niyas P M
  • 18,035
  • 2
  • 25
  • 46