Inserting variable as SQL value in python

Question

exp = "Ted is a good film"
cursor.execute ("insert into films (descp) values (exp)")
cursor.commit()

I'm using above code with MS SQL server, but it says: Invalid column name'exp' I'm using pyodbc.

FWIW, any of the solutions would work, but (at present) xbb's is the only one which isn't potentially vulnerable to SQL injection. — Aya
– Aya, Commented Apr 22, 2013 at 15:44

xbb · Accepted Answer · 2013-04-22 15:38:30Z

10

cursor.execute ("insert into films (descp) values (?)",exp)

answered Apr 22, 2013 at 15:38

xbb

2,1731 gold badge21 silver badges37 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

My solution works, but xbb is more correct solution. Documentation

Your solution is worked, but it says : The statement has been terminated

eumiro · Accepted Answer · 2013-04-22 15:45:45Z

3

I think you should pass it as a tuple:

cursor.execute ("insert into films (descp) values (?)", (exp,))

answered Apr 22, 2013 at 15:45

eumiro

214k36 gold badges307 silver badges264 bronze badges

emigue · Accepted Answer · 2013-04-22 15:43:25Z

1

You need introduce exp content into insert expression as string. You can use string format and ' ':

exp = "Ted is a good film"
cursor.execute ("insert into films (descp) values ('{exp}')".format(exp=exp))
cursor.commit()

answered Apr 22, 2013 at 15:35

emigue

5023 silver badges14 bronze badges

After trying it said : The statement has been terminated.

How about exp = "anything'); drop table films; --" ?