use parameters passed through bottle routes in my SQL SELECT statement

https://stackoverflow.com/questions/21865499

mysql
python
bottle

13-10-2022
|

문제

What is the correct syntax to use parameters passed through bottle routes in a SQL statement? (tons of code omitted for clarity here, everything works except this)

@route('/sqldynamic/<foo>/<bar>')
def sqlDyanmic(foo, bar):

        db = MySQLdb.connect("127.0.0.1","username","password","database" )
        cursor = db.cursor()
        cursor.execute("SELECT this, that WHERE this > foo AND that like '%bar%';")
        data = cursor.fetchall()
        return str(data)

해결책

Since you're using MySQL:

cursor.execute("SELECT this, that WHERE this > %s AND that like %s;", (foo, bar))

(This is irrespective of Bottle.)

(Also, if you care about SQL injection then you should add some validation.)

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow