How can I delete a record using MySQL in Python?

Question

I have a database table called Students and I want to delete a record using SQL. Here is my code:

uid = int(input("Please enter students ID: "))
c.execute("DELETE FROM Students WHERE ID = (uid) ")

I want to input the ID variable (uid) into the c.execute

Thanks in advance.

I guess you are looking for: c.execute("DELETE FROM Students WHERE ID = {} ".format(uid)) — JustRufus
– JustRufus, Commented Mar 4, 2017 at 10:57
@JustRufus Keep in mind that this example is exposed to SQL injection. — DeepSpace
– DeepSpace, Commented Mar 4, 2017 at 11:19
It is not, as it's int... you can't inject any code with int. — Flash Thunder
– Flash Thunder, Commented Mar 4, 2017 at 11:20

Daniel Roseman · Accepted Answer · 2017-03-04 11:37:17Z

3

You must not use string interpolation as recommended in the other answer; while in this specific case it might be OK, generally it is unsafe as it opens you up to SQL injection. Instead, use the support for parameters in the execute method:

uid = int(input("Please enter students ID: "))
c.execute("DELETE FROM Students WHERE ID = %s", (uid,))

answered Mar 4, 2017 at 11:37

Daniel Roseman

602k68 gold badges910 silver badges923 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Community · Accepted Answer · 2017-05-23 11:54:55Z

1

What Daniel Roseman said should be the correct answer.

You can insert the ID as a parameter for the .execute method. There is an answer about this here

edited May 23, 2017 at 11:54

CommunityBot

11 silver badge

answered Mar 4, 2017 at 12:09

EyfI

1,0052 gold badges18 silver badges25 bronze badges

Comments

Flash Thunder · Accepted Answer · 2017-03-04 10:58:06Z

0

Basically the syntax is:

"some string: %s, some int: %i, some double: %d" % (string_var,int_var,double_var)

so:

uid = int(input("Please enter students ID: "))
c.execute("DELETE FROM Students WHERE ID = %i" % (uid))

answered Mar 4, 2017 at 10:58

Flash Thunder

12.1k10 gold badges55 silver badges103 bronze badges

8 Comments

DeepSpace Over a year ago

This code is exposed to SQL injection. OP should use a parameterized query.

Flash Thunder Over a year ago

Not really... it is int... not vulnerable.

DeepSpace Over a year ago

And tomorrow OP will try to use a string in the same fashion.

Flash Thunder Over a year ago

Maybe, but this code is fine. Giving -1 because I don't agree with you? Oh ok.

Daniel Roseman Over a year ago

What? I can't understand how you can say that. This question is entirely about how to interpolate a variable into a database call. It is unquestionably unsafe to use string formatting to do that, which is why the database API provides a safe supported way to do it.

|

Collectives™ on Stack Overflow

How can I delete a record using MySQL in Python?

3 Answers 3

Comments

Comments

8 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

8 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related