Python mysql.connector.errors. %s passed to SQL query with quotes -
i execute following code in python
cursor.execute('show databases;') ans_dblist = cursor.fetchall() db_name in ans_dblist: cursor.execute('show tables %s;', (db_name[0],)) ans_tbl = cursor.fetchall() print ans_tbl
and error:
traceback (most recent call last): file "./mysqlcon.py", line 12, in <module> cursor.execute('show tables %s;', (db_name[0],)) file "/usr/lib/python2.6/site-packages/mysql/connector/cursor.py", line 507, in execute self._handle_result(self._connection.cmd_query(stmt)) file "/usr/lib/python2.6/site-packages/mysql/connector/connection.py", line 722, in cmd_query result = self._handle_result(self._send_cmd(servercmd.query, query)) file "/usr/lib/python2.6/site-packages/mysql/connector/connection.py", line 640, in _handle_result raise errors.get_exception(packet) mysql.connector.errors.programmingerror: 1064 (42000): have error in sql syntax; check manual corresponds mysql server version right syntax use near ''information_schema'' @ line 1
why %s
replaced quotes? sql query find base 'information schema' instead information schema (without quotes).
the fact mysqlpython uses standard string format marker ("%") variables placeholders in queries can make things confusing.
the queries placeholder in python's db-api values used in where
clauses , insert
, update
statements, , santized / escaped / quoted db-api avoid sql injections etc. not supposed used table or field names.
so, want here build query using string formatting:
sql = 'show tables %s;' % (db_name[0],) cursor.execute(sql)
since db_name[0]
comes trusted source, there's no security issue here.
Comments
Post a Comment