Replacing integers with variables in SQL commands in python [duplicate]












-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00


















-1
















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question













marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.











  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















-1












-1








-1









This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks






python sql sqlite sqlite3 pyqt







share|improve this question















This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers




So currently my code is this which works 



result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID="1";')


But as others use my programme the customer will change so how do I replace 1 with a variable like this..



cat = str(1)    

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=cat;')


However, this doesn't work so any help thanks





This question already has an answer here:




  • Escaping chars in Python and sqlite

    4 answers







python sql sqlite sqlite3 pyqt




python sql sqlite sqlite3 pyqt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 9:50









Megan59781Megan59781

435




435




marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by Martijn Pieters python
Users with the  python badge can single-handedly close python questions as duplicates and reopen them as needed.

StackExchange.ready(function() {
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function() {
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function() {
$hover.showInfoMessage('', {
messageElement: $msg.clone().show(),
transient: false,
position: { my: 'bottom left', at: 'top center', offsetTop: -7 },
dismissable: false,
relativeToBody: true
});
},
function() {
StackExchange.helpers.removeMessages();
}
);
});
});
 Nov 13 '18 at 9:54


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00
















  • 1





    The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

    – Martijn Pieters
    Nov 13 '18 at 9:53











  • For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

    – Martijn Pieters
    Nov 13 '18 at 10:00










1




1





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53





The sqlite3 documentation covers this for you; look for placeholders and parameters. Do not use string interpolation, as that would open you up to SQL injection attacks!

– Martijn Pieters
Nov 13 '18 at 9:53













For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00







For this specific query, use one placeholder (?): result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID=?;', (cat,)), there cat is the customer ID. You do not need to convert it to a string first.

– Martijn Pieters
Nov 13 '18 at 10:00














1 Answer
1






active

oldest

votes


















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05
















0














Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer





















  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














0












0








0







Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'





share|improve this answer















Have you considered breaking the SQL statement.



cat = '"+'str(1)+'"';

result = connection.execute('SELECT * FROM PastOrders WHERE CustomerID='+cat+';)'






share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 13 '18 at 9:58

























answered Nov 13 '18 at 9:56









Jolaosho batmatJolaosho batmat

94




94








  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05














  • 1





    NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

    – Martijn Pieters
    Nov 13 '18 at 9:57






  • 1





    See the OWASP SQL Injection overview for why this is a really bad idea.

    – Martijn Pieters
    Nov 13 '18 at 9:59











  • He should add some security measures. Converting html special characters and SQL keywords.

    – Jolaosho batmat
    Nov 13 '18 at 10:00






  • 1





    Yes, and the first security measure is to use SQL parameters and not use string formatting.

    – Martijn Pieters
    Nov 13 '18 at 10:01






  • 1





    From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

    – Martijn Pieters
    Nov 13 '18 at 10:05








1




1





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57





NO, you should NEVER use string formatting to interpolate untrusted data into a SQL command!

– Martijn Pieters
Nov 13 '18 at 9:57




1




1





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59





See the OWASP SQL Injection overview for why this is a really bad idea.

– Martijn Pieters
Nov 13 '18 at 9:59













He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00





He should add some security measures. Converting html special characters and SQL keywords.

– Jolaosho batmat
Nov 13 '18 at 10:00




1




1





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01





Yes, and the first security measure is to use SQL parameters and not use string formatting.

– Martijn Pieters
Nov 13 '18 at 10:01




1




1





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05





From the sqlite3 documentation: Instead, use the DB-API’s parameter substitution. Put ? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor’s execute() method.. SQL parameters take care of proper escaping of values for you.

– Martijn Pieters
Nov 13 '18 at 10:05



-

Popular posts from this blog

Florida Star v. B. J. F.

Image
Florida Star v. B. J. F. From Wikipedia, the free encyclopedia Jump to navigation Jump to search United States Supreme Court case Florida Star v. B. J. F. Supreme Court of the United States Argued March 21, 1989 Decided June 21, 1989 Full case name The Florida Star v. B. J. F. Citations 491 U.S. 524 ( more ) 109 S. Ct. 2603; 105 L. Ed. 2d 443; 1989 U.S. LEXIS 3120; 57 U.S.L.W. 4816; 16 Media L. Rep. 1801 Prior history The Florida Star v. B.J.F., 530 So.2d 286 (1988) Supreme Court of Florida; Florida Star v. B.J.F., 499 So.2d 883 (1986) Fla. Dist. Court of Appeals Holding Florida Stat. § 794.03 is unconstitutional to the extent it makes the truthful reporting of information that was a matter of public record unlawful, as it violates the First Amendment. Court membership Chief Justice William Rehnquist Associate Justices William J. Brennan Jr.  · Byron White Thurgood Marshall  · Harry Blac
Read more

Danny Elfman

Image
Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora
Read more

Retrieve a Users Dashboard in Tumblr with R and TumblR. Oauth Issues

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I am trying to use the TumblR package in R to set up the Oauth Authentication to Retrieve a user's dashboard using the second example in tumblR documentation However I get the following error, it seems that using twitter others have been able to use a different function to get around this, but I am not finding the same function available for Tumblr. See twitter package for R authentication: error 401 My code consumer_key <- OKey consumer_secret <- SKey appname <- App_name tokenURL <- 'http://www.tumblr.com/oauth/request_token' accessTokenURL <- 'http://www.tumblr.com/oauth/acces_token'
Read more