There are two problems with your code.
The first problem is with how you define your class.
class Register(Form):
reg_username = TextField('Username', [validators.Length(min=1, max = 12)])
username = str(reg_username)
reg_password = PasswordField('Password', [
validators.Required(),
validators.EqualTo('confirm_password', message='Passwords do not match')
])
confirm_password = PasswordField('Confirm Password')
password = str(confirm_password)
reg_email = TextField('Email', [validators.Length(min=6, max=35)])
email = str(reg_email)
enter_db = User(username, password, email)
enter_db.database(username, password, email)
Your calls to str
happen when the class is created and convert the reg_username
, confirm_password
, and reg_email
attributes to strings. The value you are seeing in your error message is the return value from TextField.__str__
.
You then attach enter_db
as an attribute of Register
. enter_db
is a User
instantiated with the values of Register.username
, Register.password
, and Register.email
. Then, still at class creation time, you call Register.enter_db.database
and give it the same values as you used to instatiate Register.enter_db
.
At no point in time do you assign values to the reg_username
, confirm_password
, and reg_email
fields. This is typically done by providing request.form
when you instantiate Register
, for example form = Register(request.form)
. Once you have done this, you would be able to access the values of each field through form.reg_username.data
, etc. This part would typically take place in a view function.
The second problem you are having is how you execute your SQL statement.
"INSERT into users (username, pwd, e-mail) VALUES ('%s', '%s', '%s')"
% (username, password, email)
This uses string interpolation to place the values of username
, password
, and email
directly into the statement before executing it. In addition to this being a bad practice, any '
in one of the values will break your statement. This is what's happening to you because TextField.__str__
includes single quotes around the field's name.
A better (and more secure) approach would be to use a parameterized query. While the specifics vary from driver to driver, I believe the ?
is a pretty common implementation. This would change your query to something along the lines of
"INSERT into users (username, pwd, email) VALUES (?, ?, ?)"
You'd then pass the values to cur.execute
cur.execute("INSERT into users (username, pwd, email) VALUES (?, ?, ?)", (username, password, email))
Addressing both of these should put you on the right path.