Fetching Data From Microsoft Access Database Using Select Query With Where Clause In Python
Solution 1:
SQL injection is a serious issue and can ultimately destroy your database. The classic to remember is Bobby Tables. For this reason, it's important to build your queries properly to prevent this; that requires some mechanism to "escape" an input so that it cannot be interpreted as a command in itself.
q = "select * from cus_details where cus_id = '" + cus + "' "
This query does not escape anything, since you simply throw the value of cus
into your string. cur.execute(q,dis)
then fails because there's no marker to explain where the value of dis
is supposed to go.
The way to do this is the use placeholders and bindings. In SQLite3 these are ?
and in other versions of SQL they are %s
. I'm not sure which is expected here. EDIT: From Zev Spitz comment, it seems that it's ?
for placeholder in this particular case (see Parameters section).
Therefore, your query would look something like the following:
q = "SELECT * FROM cus_details WHERE cus_id = ?"
cur.execute(q, (cus,))
# Or
q = "SELECT * FROM cus_details WHERE cus_id = %s"
cur.execute(q, (cus,))
Post a Comment for "Fetching Data From Microsoft Access Database Using Select Query With Where Clause In Python"