Python mysql.connector.errors. %s passed to SQL query with quotes -


i execute following code in python

cursor.execute('show databases;') ans_dblist = cursor.fetchall()   db_name in ans_dblist:   cursor.execute('show tables %s;', (db_name[0],))   ans_tbl = cursor.fetchall()   print ans_tbl 

and error:

traceback (most recent call last):   file "./mysqlcon.py", line 12, in <module>     cursor.execute('show tables %s;', (db_name[0],))   file "/usr/lib/python2.6/site-packages/mysql/connector/cursor.py", line 507, in execute     self._handle_result(self._connection.cmd_query(stmt))   file "/usr/lib/python2.6/site-packages/mysql/connector/connection.py", line 722, in cmd_query     result = self._handle_result(self._send_cmd(servercmd.query, query))   file "/usr/lib/python2.6/site-packages/mysql/connector/connection.py", line 640, in _handle_result     raise errors.get_exception(packet) mysql.connector.errors.programmingerror: 1064 (42000): have error in sql syntax; check manual corresponds mysql server version right syntax use near ''information_schema'' @ line 1 

why %s replaced quotes? sql query find base 'information schema' instead information schema (without quotes).

the fact mysqlpython uses standard string format marker ("%") variables placeholders in queries can make things confusing.

the queries placeholder in python's db-api values used in where clauses , insert , update statements, , santized / escaped / quoted db-api avoid sql injections etc. not supposed used table or field names.

so, want here build query using string formatting:

sql =  'show tables %s;' % (db_name[0],) cursor.execute(sql) 

since db_name[0] comes trusted source, there's no security issue here.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -