2

How do you write a query using like with the mysql connector and python. I am trying to avoid sql injections and using an ORM is not an option.

       param = 'bob'
       select_query = mysql_conn.query_db("select * from table_one where col_name like '%?%' order by id asc limit 5", param)

No matter what I send in when the query gets executed I get the same results. I should be getting nothing.

When I use the below query I get an error.

        select_query = mysql_conn.query_db("select * from table_one where col_name like %s order by id asc limit 5", param)

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%s order by id asc limit 5' at line 1

Improve this question

3 Answers 3

Reset to default
5

You need to add the % wildcards to the param you're passing before escaping, e.g like this:

select_query = mysql_conn.query_db(
    "select * from table_one where col_name like %s order by id asc limit 5",
     ("%{}%".format(param),)
)

Also the parameters should be passed as a tuple like above, or as a dict when using named parameters:

select_query = mysql_conn.query_db(
    "select * from table_one where col_name like %(p)s order by id asc limit 5",
     {"p": "%{}%".format(param)}
)
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That worked. Thanks. I do have another question. I set the param as a tuple then send the query and the tuple to my connection class. But that fails? I have to set the param as a tuple in the connection class.
param = (request.form['txt'],) on my connection class <class 'tuple'> class get_connectioned(): def query_db(self, query, param): self.curr.execute(query, (param) return self.curr The above fails. But if I do the following it works. param = request.form['txt'] <class 'str'> class get_connectioned(): def query_db(self, query, param): self.curr.execute(query, ("%{}%".format(param),)) return self.curr Why does making the param a tuple in the class work. Yet sending the param in as a tuple fails?
@user3525290 it's hard to say with the code like this in a comment. It should do approximately the same, except that the first one uses the parameter as is while the second encloses it in wildcards..
1

Note that any literal percent signs in the query string passed to execute() must be escaped, i.e. %%

http://mysql-python.sourceforge.net/MySQLdb.html

Which is pretty much the same thing as in old style python string formatting, c printf etc etc

Improve this answer

Comments

0

You need to add the % wildcards to the param you're passing before escaping, e.g like this:

select_query = mysql_conn.query_db( "select * from table_one where col_name like %s order by id asc limit 5", ("%{}%".format(param),) )

Threw me an error arror a la

TypeError: a bytes-like object is required, not 'tuple'

so what worked for me was explicitly coding the quotations marks into the selection quote like this:

  "select * from table_one where col_name like \"%"+param+"%\" order by id asc limit 5"
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.