2

can someone help me with this? i'm a new programmer and for a little project i need to create a profile page for every user in the database in flask

@app.route("/idpage/<int:page_id>", methods=['GET', 'POST'])
def profilepage(page_id):
    profile=engine.execute("SELECT username,password FROM tutorial WHERE id=" +page_id+ "").fetchall()
    return render_template('viewprofile.html', profile=profile)

The error gave me is 

TypeError: cannot concatenate 'str' and 'int' objects

this is my second "program" can i find some documentation for using sql?

Improve this question
1
  • Since you are just starting: Great choice on Flask, not so great choice on MySQL. Use Postgres. It's a much better database and it has less weird gotchas. Commented Feb 23, 2016 at 13:18

1 Answer 1

Reset to default
3

You should never build queries by directly inserting user input into them. This opens you up to SQL injection attacks. Instead, you should use bind parameters.

engine.execute("SELECT username, password FROM tutorial WHERE id = ?", page_id)

Note, the bind symbol varies from driver to driver, but will typically be one of ? or %s.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

AFAIK it's always %s or %(name)s, and never %d (not even for numbers)
I've only used s but I wasn't sure if some drivers accepted others. I updated the answer. Thanks.
I believe you're right on the %s, that threw me when I was starting with SQLAlchemy. The approach is right, though. +1
While in principle this answer is much better than mine (I am happy to concede that), I think it is too concise for a coding (not just Python) newbie. I would suggest that you give him the bind line as well to not confuse him unnecessarily.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.