0

I am trying to pass a query through my script, but i get a SQL error. Running the same sql statement in Heidisql works fine.

My question is: - What am I doing wrong?

error message

_mysql.connection.query(self, query) _mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Gabrielsen)' at line 1")

Python script where Database is the correct connection to database

F="Gunnar Gabrielsen"
Database.query('INSERT INTO documents (name) values (' + F + ');')
i=Database.query('SELECT * from documents;')
print(i)

Python version:Python 3.4

Module:Mysqldb

DB:MariaDB

Improve this question

2 Answers 2

Reset to default
1

You haven't put quotes around your value.

But you should never do it this way anyway. Quite apart from the quoting problem, you are opening yourself to sql injection attacks.

Use a parametrised query instead:

cursor.execute('INSERT INTO documents (name) values (%s)',  (F,))
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you, also for giving insight sqlinjection I saw the %s, but I never understood the application of it
0

You have generated this:

INSERT INTO documents (name) values (Gunnar Gabrielsen);

What you need is

INSERT INTO documents (name) values ("Gunnar Gabrielsen");

But, without escaping or parameterizing, you are opening your code (and system) up to "sql injection" and other hacking.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.