CodeDump
Brakebusk Brakebusk - 1 year ago 116
SQL Question

Escape string within %

I use PyMySQL to query from a MySQL database in python:

filter = "Pe"

connection = pymysql.connect(host="X", user="X", password="X", db="X", port=3306, cursorclass=pymysql.cursors.SSCursor)

cursor = connection.cursor()

sqlquery = "SELECT * FROM usertable WHERE name LIKE '%%s%'"

cursor.execute(sql, (filter))

response = cursor.fetchall()

connection.close()


This returns nothing.
I could write:

sqlquery = "SELECT * FROM usertable WHERE name LIKE '%" + filter +"%'"


and execute:
cursor.execute(sql)
, but then I lose the escaping, which makes the program vulnerable for injection attacks, right?

Is there way I could insert the value into the LIKE without losing the escape?

eugene y eugene y
Answer Source

You need to pass the whole pattern as a query parameter, and use a tuple:

filter = "%Pe%"
sql = "SELECT * FROM usertable WHERE name LIKE %s"
cursor.execute(sql, (filter,))
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Sign up

Sign up with GitHub
Latest added
FNISaa2 Papyrus
GenerateFNISUsers
FNIScommon1
FNISaa1
woocommmercerestapi.php
fsagsas
test for the future
android by welookups
laravelrecaptcha
Updraft Log
Lenny
Brooklyn-stuff
aasdasda
Model and View in Laravel
tutorial.py
Main thing
Object
alarm.sh
promises vs async
PropagateMaskBoundary