How do I pass a variable in an SQL query in python

Question

nameEnt = nameEntered.get()

print(nameEnt)

sql = "SELECT * FROM attendance WHERE name="%s"
val = (nameEnt)
print(mycursor.execute(sql, val))
myresult = mycursor.fetchall()
for x in myresult:
    print(x)

I would like to pass the string in 'nameEnt' into the SQL query using python. I'm currently using the mysql-connector package. The program keeps telling me that my syntax is incorrect. I can execute the query in SQL directly without any problem.

I have also tried

sql = "SELECT * FROM attendance WHERE name= "+nameENt

Answer 1

you can try:

sql = "SELECT * FROM attendance WHERE name = %s",(nameEnt)

Or:

sql = "SELECT * FROM attendance WHERE name = {}".format(nameEnt)

Answer 2

Do not combine SQL strings with data unless you know what you are doing. Doing so is a sure way to get yourself an SQL injection vulnerability.

Your original code was almost correct. First, as the comments noted, you don't need the quotes around %s:

sql = "SELECT * FROM attendance WHERE name=%s"

Then, your second parameter to cursor.execute() is a tuple, but in Python, to make a single-element tuple, wrapping it in brackets isn't enough:

my_element = 12345
not_a_tuple = (my_element)
type(not_a_tuple) == int

real_tuple = (my_element,)  # note the comma at the end
type(real_tuple) == tuple

Applying these to your code, you get:

nameEnt = nameEntered.get()

print(nameEnt)

sql = "SELECT * FROM attendance WHERE name=%s"
val = (nameEnt,)
print(mycursor.execute(sql, val))
myresult = mycursor.fetchall()
for x in myresult:
    print(x)