Replacing integers with variables in SQL commands in python [duplicate]












-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00


















-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















-1












-1








-1









This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks





This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers







python sql sqlite sqlite3 pyqt




python sql sqlite sqlite3 pyqt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 9:50









Megan59781Megan59781

435




435




marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00










1




1





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53













For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00







For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00














1 Answer
1






active

oldest

votes


















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05
















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














0












0








0







Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer















Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'






share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 13 '18 at 9:58

























answered Nov 13 '18 at 9:56









Jolaosho batmatJolaosho batmat

94




94








  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05








1




1





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57




1




1





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59













He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00





He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00




1




1





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01




1




1





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05



-

Popular posts from this blog

Florida Star v. B. J. F.

Image
Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
Read more

Error while running script in elastic search , gateway timeout

Image
0 while running script in elastic search, I got 504 Gateway timeout error. { "query": { "bool": { "filter": { "script": { "script": " doc['creted_date'].date.getMonthOfYear() == 12 " } } } }, "aggs": { "test": { "date_histogram": { "field": "creted_date", "interval": "month", "format": "MMM" }, "aggs": { "cost": { "sum": { "field": "cost" } } }
Read more

Adding quotations to stringified JSON object values

Image
0 My stringified object data doesn't include quotation marks around object values, which errors when attempting JSON.parse() : '{ "affiliation": CORPORATE, "userId": 75c35d1c-5d12-4485-8fa8-b2f1551a3e6e }' I need the string to be: '{ "affiliation": "CORPORATE", "userId": "75c35d1c-5d12-4485-8fa8-b2f1551a3e6e" }' I'm using this regex to add quotes to the object keys: var newStr = str.replace(/(['"])?([a-z0-9A-Z_]+)(['"])?:/g, '"$2": '); For instance: '{ affiliation: CORPORATE }' to '{ "affiliation": CORPORATE }' There are only string values in my data, so I don't need to check value types. How can I alter my regex expression to add quotations to
Read more