Python String Formats with SQL Wildcards and LIKE

python sql format sql-like

Solution 1:

Those queries all appear to be vulnerable to SQL injection attacks.

Try something like this instead:

curs.execute("""SELECT tag.userId, count(user.id) as totalRows 
                  FROM user 
            INNER JOIN tag ON user.id = tag.userId 
                 WHERE user.username LIKE %s""", ('%' + query + '%',))

Where there are two arguments being passed to execute().

Solution 2:

It's not about string formatting but the problem is how queries should be executed according to db operations requirements in Python (PEP 249)

try something like this:

sql = "SELECT column FROM table WHERE col1=%s AND col2=%s" 
params = (col1_value, col2_value)
cursor.execute(sql, params)

here are some examples for psycog2 where you have some explanations that should also be valid for mysql (mysqldb also follows PEP249 dba api guidance 2.0: here are examples for mysqldb)

Solution 3:

To escape ampersands in Python string formatting expressions, double the ampersand:

'%%%s%%' % search_string

Edit: But I definitely agree with another answer. Direct string substitution in SQL queries is almost always a bad idea.

Related

Check if boolean is true? [closed]
Identifying the CPU architecture type using C#
Unable to call App_Code class from a code-behind
How can I easily duplicate/copy an existing realm object
XMLHttpRequest error in flutter web [Enabling CORS AWS API gateway]
Is there a way to "override" a method with reflection?
Changing startup form in C#
Add spacing between vertically stacked columns in Bootstrap 4
inverse=true in JPA annotations
How to sort dictionary by key in numerical order Python
How to make JQuery-AJAX request synchronous
Use history.push in action creator with react-router-v4?