2

I'm trying to insert a string into a SQLite Select statement in python. When I try this code:

cur.execute("SELECT * FROM DB WHERE employeeNum = '?'",(empNum,))

I get this error:

sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 0, and there are 1 supplied.

When I try this code:

cur.execute("SELECT * FROM DB WHERE employeeNum = '",empNum,"'")

I get this error: 

TypeError: function takes at most 2 arguments (3 given)

How do I query this string? Sorry I'm new to python. Any help would be greatly appreciated!

Fabian
  • 6,955
  • 2
  • 25
  • 27
user908759
  • 1,315
  • 6
  • 26
  • 47

1 Answers1

5

Do not use string formatting to insert query parameters into the query - this would make sql injections possible, you would have problems with characters that need to be escaped, with data type conversions etc.

Eliminate the quotes around ? and continue using parameterized query parameters:

cur.execute("SELECT * FROM DB WHERE employeeNum = ?", (empNum, ))

The quotes around ? made sqlite interpret ? as a string, not a placeholder.

Also see similar problem:

Community
  • 1
  • 1
alecxe
  • 441,113
  • 110
  • 1,021
  • 1,148