You should insert 'TheOddOne' as a string. To do this, simply add quotes to {9}:
q += "VALUES({5},{6},{7},{8},'{9}')"
But this method is prone to sql injection. Consider follow example:
#Testing SQL Injection
print 'Testing SQL Injection'
c = ['\' or 1 = 1 or \'']
q = "SELECT * FROM summoners WHERE name = '{0}'"
query = q.format(*c)
print query
cursor.execute(query)
if cursor.rowcount > 0:
print cursor.fetchall()
else:
print "no item found"
This will give us all the records.
The best solution - use parameterized queries like this:
q = "INSERT IGNORE INTO summoners (profileIconId, summonerLevel, revisionDate, id, name) VALUES (%s,%s,%s,%s,%s) "
cursor.execute(q, v)
However, since you need to dynamically insert column names, appropriate solution for you - combining parameterized queries with MySQLdb.escape_string
:
q = "INSERT IGNORE INTO summoners({0},{1},{2},{3},{4}) VALUES (%s,%s,%s,%s,%s)".format(*c)
query = MySQLdb.escape_string(q)
cursor.execute(query, v)