0

I'm having a problem whilst trying to execute an SQL line of code:

sql1 = "select ",(variable.get())," FROM ProductTable WHERE", Queryby.get() cursor.execute(sql1)

When I go to execute these lines of code in the program, it says

ValueError: operation parameter must be str

I presume this is because of the fact I am trying to use .get() inside the sql line of code. The reason I assume this is because if I change the code from cursor.execute(sql) to print(sql1) it says:

('select ', 'OrderNo', ' FROM ProductTable WHERE', 'This is a test')

I think the problem is that this isn't all considered a string, but I'm unsure of the resolution on how to call the .get() parts of the code without interfering the SQL. Any suggestions?

Improve this question
1
  • Strings can be concatenated using +, not ,. I'm not sure what the Queryby part is supposed to do with the string it generates...? Compare it to something? Commented Mar 13, 2016 at 19:01

1 Answer 1

Reset to default
1

Instead of using commas, join the strings using +:

sql1 = "select " + variable.get() + " FROM ProductTable WHERE" + Queryby.get()

This will return a string, but note that in general this is an insecure way to build your query. Instead of simply sticking strings to each other please read up on parameterized queries to protect yourself from SQL injection, one of the most common security vulnerabilities there is.

I'm not sure precisely what library you are using for your database access, but most support parameterization out of the box.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.