Replacing integers with variables in SQL commands in python [duplicate]












-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks










share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00


















-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks










share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















-1












-1








-1









This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks










share|improve this question















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks





This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers








python sql sqlite sqlite3 pyqt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 9:50









Megan59781Megan59781

435




435




marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00










1




1





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53













For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00







For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00














1 Answer
1






active

oldest

votes


















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05
















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














0












0








0







Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer















Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';
result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'






share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 13 '18 at 9:58

























answered Nov 13 '18 at 9:56









Jolaosho batmatJolaosho batmat

94




94








  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05








1




1





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57




1




1





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59













He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00





He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00




1




1





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01




1




1





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05



Popular posts from this blog

Florida Star v. B. J. F.

Danny Elfman

Lugert, Oklahoma