0

In the given query I am trying to take table name as input from user:

import MySQLdb
import csv
conn=MySQLdb.connect("localhost","root","","graphdata")

c=conn.cursor()
a= raw_input("Enter the table name")
sql='''SELECT distinct sku FROM %s_management'''
c.execute(sql,str(a))
rows=c.fetchall()

file=open('mine.csv','a+')

for eachRow in rows:
    print eachRow
    a=eachRow
    file.write(str(a)+"\n")

file.close()

what I wanted was that the compiler should as 

Enter table name:

I should enter the table name 

Enter table name: inventory

it should get concatenated in the query:

sql='''SELECT distinct sku FROM inventory_management'''

but up until now I have gotten these errors: 

 c.execute(sql,str(a))
  File "C:\Python27\lib\site-packages\MySQLdb\cursors.py", line 198, in execute
    query = query % args
TypeError: not all arguments converted during string formatting


  File "change.py", line 7, in <module>
    sql='''SELECT distinct sku FROM %s'''(a)
TypeError: 'str' object is not callable


    c.execute("SELECT distinct sku FROM %s_management")(a)
  File "C:\Python27\lib\site-packages\MySQLdb\cursors.py", line 219, in execute
    self.errorhandler(self, exc, value)
  File "C:\Python27\lib\site-packages\MySQLdb\connections.py", line 38, in defau
lterrorhandler
    raise errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax
; check the manual that corresponds to your MySQL server version for the right s
yntax to use near '%s_management' at line 1")
Improve this question
2
  • 3
    Unfortunately, tables can't be the target of parameter substitution. More info over here stackoverflow.com/a/3247553/3603445 Commented Jun 14, 2018 at 7:11
  • @chakri the solution given below worked out. thank you for the link provided Commented Jun 14, 2018 at 10:47

2 Answers 2

Reset to default
2

Use format() of string

>>> sql='SELECT distinct sku FROM {}_management'.format(a)
>>> sql
>>> 'SELECT distinct sku FROM inventory_management'

Then you just pass your query to the cursor:

c.execute(sql)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I don't recommend this because of security issues it brings with it, but you can do this instead -

c.execute(sql % str(a))

Or use any other kind of string formatter in python to change the table name.

Improve this answer

3 Comments

can explain a bit about what issues might be there
@user9144536 Read about SQL injections. It's very dangerous to have user defined input to be directly executed as a query. It's the same issue with using format() or any other way of manipulating strings.
Thank you bro, really helped

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.