Crytrus Crytrus - 3 years ago 444
Python Question

sqlite3.OperationalError: near "?": syntax error

I have a problem, i just keep getting error however i am trying to format this. Also tried %s.

Any suggestions?

group_food = (group, food)
group_food_new = (group, food, 1)

with con:

cur = con.cursor()
tmp = cur.execute("SELECT COUNT(Name) FROM (?) WHERE Name=?", group_food)

if tmp == 0:
cur.execute("INSERT INTO ? VALUES(?, ?)", group_food_new)
else:
times_before = cur.execute("SELECT Times FROM ? WHERE Name=?", group_food)
group_food_update = (group, (times_before +1), food)

cur.execute("UPDATE ? SET Times=? WHERE Name=?", group_food_update)

Answer Source

You cannot use SQL parameters to be placeholders in SQL objects; one of the reasons for using a SQL parameters is to escape the value such that the database can never mistake the contents for a database object.

You'll have to interpolate the database objects separately:

cur.execute("SELECT COUNT(Name) FROM {} WHERE Name=?".format(group), (food,))

and

cur.execute("INSERT INTO {} VALUES(?, ?)".format(group), (food, 1))

and

cur.execute("UPDATE {} SET Times=? WHERE Name=?".format(group),
            (times_before + 1, food))

If your object names are user-sourced, you'll have to do your own (stringent) validation on the object names to prevent SQL injection attacks here. Always validate them against existing objects in that case.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download