I'm trying to get the value of name=a
and get the data there
But I'm getting
sqlite3.OperationalError: no such column: a
@app.route('/editform/<_name>')
def editform(_name):
db = sql.connect("database.db")
cursor = db.cursor()
cursor.execute('SELECT * FROM students WHERE name= %s' %_name)
CodePudding user response:
That's because you use string formatting to substitute %s
with the value of _name
, ending up with
SELECT * FROM students WHERE name= a
Note that a
here is interpreted to be a column name because it is not between quotes (i.e. "a"
).
Don't use string formatting for SQL statements as you will be vulnerable to SQL injection attacks. Use the proper placeholder syntax:
cursor.execute('SELECT * FROM students WHERE name=?', (_name,))