Skip to content Skip to sidebar Skip to footer

Fetching Data From Microsoft Access Database Using Select Query With Where Clause In Python

from tkinter import * lg = Tk() lg.state('zoomed') def view(): cus = accno.get() dis = [cus] print(dis) import pypyodbc con=pypyodbc.win_connect_mdb('D:\\customer_

Solution 1:

SQL injection is a serious issue and can ultimately destroy your database. The classic to remember is Bobby Tables. For this reason, it's important to build your queries properly to prevent this; that requires some mechanism to "escape" an input so that it cannot be interpreted as a command in itself.

q = "select * from cus_details where cus_id = '" + cus + "' "

This query does not escape anything, since you simply throw the value of cus into your string. cur.execute(q,dis) then fails because there's no marker to explain where the value of dis is supposed to go.

The way to do this is the use placeholders and bindings. In SQLite3 these are ? and in other versions of SQL they are %s. I'm not sure which is expected here. EDIT: From Zev Spitz comment, it seems that it's ? for placeholder in this particular case (see Parameters section).

Therefore, your query would look something like the following:

q = "SELECT * FROM cus_details WHERE cus_id = ?"
cur.execute(q, (cus,))

# Or

q = "SELECT * FROM cus_details WHERE cus_id = %s"
cur.execute(q, (cus,))

Post a Comment for "Fetching Data From Microsoft Access Database Using Select Query With Where Clause In Python"