1

I've created the following database using MySQL:

CREATE TABLE tutors (
id INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(50) NOT NULL,
email VARCHAR(320) NOT NULL,
description VARCHAR(400) NOT NULL,
image VARCHAR(150) NOT NULL, 
applyDate DATE NOT NULL)

where the image column stores the absolute paths to images I store in my file system.

However, when I try to insert user-inputted data such as

arguments = ("Name", "[email protected]", "desc", "C:\\Users\\path\\to\\image.png", "2020-08-23")

using Python with the code

cursor.execute("INSERT INTO tutors (name, email, description, image, applyDate) VALUES (?, ?, ?, ?, ?)", arguments)
conn.commit()

it gives me the following error:

mysql.connector.errors.ProgrammingError: Not all parameters were used in the SQL statement.

It works when I replace each ? with %s, but I've read that %s is vulnerable to SQL injection attacks, so I'd rather stay away from it if possible. Is there a reason ? isn't working?

Improve this question
1
  • 1
    You've read wrong. For prepared statements with the mysql.connector, %s is the placeholder, not ?. %s is subject to SQL Injection when it is not used as a placeholder for a prepared statement but instead used for textual substitution as in cursor.execute("SELECT y from t where x = '%s'" % some_value) instead of cursor.execute("SELECT y from t where x = %s", (some_value,)) Commented Aug 23, 2020 at 10:55

1 Answer 1

Reset to default
0

The ? placeholder only works with prepared statement cursors, such as cursor = conn.cursor(prepared=True).

If you don't want or need to use prepared statements, use %s as placeholder. It's safe since their values are escaped and quoted before the query is executed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.