0

Code in .py file:

cur = mysql.connection.cursor()
# Check if this user had voted for somebody
is_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME="+str(session["username"]))

session["username"] keep a user cookie. The user I already logged in names "admin"

But there might be something wrong with the MySQL command inside is_voted

Error:

MySQLdb._exceptions.OperationalError: (1054, "Unknown column 'admin' in 'where clause'")

But I got the correct return value while using

SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='admin'

enter image description here

Is there anything wrong with my input format inside is_voted?

Improve this question
4
  • is_voted=cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME= ?",(session["username"])) , can you try this and let me know the result Commented May 4, 2019 at 6:31
  • Another error happens when using this line. Error:MySQLdb._exceptions.ProgrammingError: not all arguments converted during bytes formatting Commented May 4, 2019 at 6:39
  • then the parameter needs to be converted to string, is_voted=cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME= ?",str((session["username"]))) Commented May 4, 2019 at 6:43
  • It still gets error, but the following answeris_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='%s'" % str(session["username"])) works Commented May 4, 2019 at 6:45

1 Answer 1

Reset to default
1

Your output string of the combination "SELECT TUTOR_VOTED FROM USERS WHERE USERNAME="+str(session["username"]) misses couple of single quote ''. You can change it to:

is_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='%s'" % str(session["username"]))
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This will surely the better answer but its sort of open to attacks.SQLinjection
Yeah, sure that's it's not the best practice for code in production. But I think it's a different story as some cases people may like to see result as quick as possible
Thank you so much, I really don't know this kind of attack. Should I write a function to check the username to avoid SQL injection?
It is a long story. You can find some ideas here github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/…

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.