0

Code in .py file:

cur = mysql.connection.cursor()
# Check if this user had voted for somebody
is_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME="+str(session["username"]))

session["username"] keep a user cookie. The user I already logged in names "admin"

But there might be something wrong with the MySQL command inside is_voted

Error:

MySQLdb._exceptions.OperationalError: (1054, "Unknown column 'admin' in 'where clause'")

But I got the correct return value while using

SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='admin'

enter image description here

Is there anything wrong with my input format inside is_voted?

Improve this question
4
  • is_voted=cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME= ?",(session["username"])) , can you try this and let me know the result Commented May 4, 2019 at 6:31
  • Another error happens when using this line. Error:MySQLdb._exceptions.ProgrammingError: not all arguments converted during bytes formatting Commented May 4, 2019 at 6:39
  • then the parameter needs to be converted to string, is_voted=cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME= ?",str((session["username"]))) Commented May 4, 2019 at 6:43
  • It still gets error, but the following answeris_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='%s'" % str(session["username"])) works Commented May 4, 2019 at 6:45

1 Answer 1

Reset to default
1

Your output string of the combination "SELECT TUTOR_VOTED FROM USERS WHERE USERNAME="+str(session["username"]) misses couple of single quote ''. You can change it to:

is_voted = cur.execute("SELECT TUTOR_VOTED FROM USERS WHERE USERNAME='%s'" % str(session["username"]))
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This will surely the better answer but its sort of open to attacks.SQLinjection
Yeah, sure that's it's not the best practice for code in production. But I think it's a different story as some cases people may like to see result as quick as possible
Thank you so much, I really don't know this kind of attack. Should I write a function to check the username to avoid SQL injection?
It is a long story. You can find some ideas here github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.