0

I want a simple python program to prompt the user for a title and search a mySQL database. I have the database constructed but I can't figure out how to query it properly.

import MySQLdb
servername = "localhost";
username = "username";
password = "password";
conn = MySQLdb.connect(user=username,host=servername, passwd=password, db=db)
cursor = conn.cursor()
user_input = raw_input("What do you want to watch?:")
query= ("SELECT * from videos where title LIKE %s")
cursor.execute(query,user_input)

IF, I hardcode the query to say "where title LIKE '%HARDCODE%' ", then it works fine. I figure the solution is pretty simple but I for the life of me can't figure it out. Any help is much appreciated! I've tried every variation I could find online but to no avail. Some others I tried:

query= ("SELECT * from videos where title LIKE CONCAT('%',%s,'%')")

cursor.execute(query,(user_input,))

query= ("SELECT * from videos where title LIKE (search)"
        "VALUES (%s)", user_input)

... They all don't work.

Errors all seem to revolve around me passing my variable user_input through correctly.

Improve this question
0

3 Answers 3

Reset to default
3

You can create your query like:

c.execute("SELECT * FROM videos WHERE title LIKE %s", ("%" + user_input + "%",))
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You should mention why calling the function in this way is the secure way to do it.
0

I Think the solution given by @ddsu should have solved your problem. in case if not, in this i am going to use the same line of code but i am posting a full code for ur problem

    import MySQLdb
    servername = "localhost"
    username = "username"
    password = "password"
    conn = MySQLdb.connect(user=username,host=servername, passwd=password, db=db)
    cursor = conn.cursor()
    user_input = raw_input("What do you want to watch?:")
    query= ("SELECT * from videos where title LIKE %"+user_input+"%")
    cursor.execute(query)
Improve this answer

1 Comment

This answer is vulnerable to SQL injection. Dacuna's answer utilizes the sanitization built into the cursor.execute function, by passing the user input directly to the execute function whereas this function simply places it into the string with no sanitization.
0

The solution to your problem is putting your input in brackets ( ,) so the result would look something like this: 

user_input = (raw_input("What do you want to watch?:"), )

Don't forget to put the comma ,

In full you have:

import MySQLdb
servername = "localhost";
username = "username";
password = "password";
conn = MySQLdb.connect(user=username,host=servername, passwd=password, db=db)
cursor = conn.cursor()
user_input = (raw_input("What do you want to watch?:"), )
query= ("SELECT * from videos where title LIKE %s")
cursor.execute(query,user_input)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.