i have a question regarding variable injection into sql query with sqlalchemy/python(3.8).

What i researched so far was adding %s and also email_address=? and then adding it (email_address) but without success

What i am trying to do is capture user input and run a select query dynamically.

print(" What is the email address??")
email_address = input()
conn = create_engine("mssql pyodbc://test_table:[email protected]:3306/test_db?driver=SQL Server?Trusted_Connection=yes'", echo = False)
sql = pd.read_sql('Select id,email_address from test_table where email_address = email_address', conn)
print(sql)

<iframe name="sif1" sandbox="allow-forms allow-modals allow-scripts" frameborder="0"></iframe>

CodePudding user response：

try:

print(" What is the email address??")
email_address = input()
conn = create_engine("mssql pyodbc://test_table:[email protected]:3306/test_db?driver=SQL Server?Trusted_Connection=yes'", echo = False)
sql = pd.read_sql('Select id,email_address from test_table where email_address = %(email_address)s', conn, params={"email_address": email_addres})
print(sql)