sqlite3.OperationalError: near "s": syntax error

code
Traceback (most recent call last):
  File "test.py", line 190, in <module>
    cursor.execute(sql)
sqlite3.OperationalError: near "s": syntax error
code
Suppose name contains a single quote followed by a t, as in
name = "don't look now"
sql = "update foo set is_processed=1 where bar='"+name+"'"
Then sql would equal
In [156]: sql
Out[156]: "update foo set is_processed=1 where bar='don't look now'"
and sqlite3 will think the conditional is where bar='don' followed by a syntax error, t look now'. sqlite3 then raises
sqlite3.OperationalError: near "t": syntax error
This is an example of why you should always use parametrized SQL. To avoid this problem (and protect your code from SQL injection attacks), use parametrized SQL and pass a sequence (or, depending on the paramstyle, a mapping) of values as the second argument to cursor.execute:
sql = "update foo set is_processed=1 where bar=?"
cursor.execute(sql, [name])
When you pass arguments (such as [name]) as the second argument to cursor.execute, sqlite3 will escape the single-quote for you. 

 

                         

上一篇:wsl2 编译 linux openwrt 项目的时候,经常会出现 bash: -c: line 0: syntax error near unexpected token `('


下一篇:sklearn 线性回归