0

I want to insert data in mysql table by user command. But i can't understand why cannot execute code. Code sample:

user_name= input("What is your name?:\n")
user_phone= input("What is your phone:\n")
user_city= input("Your city:\n")
myCursor.execute("insert into information(name,phone, city) values(user_name, user_phone, user_city);")
print("Insert successfully")
Improve this question
1
  • 1
    Please do not use the recipes from the answers. They will make your code vulnerable to SQL injection attacks. Use placeholders and parameter substitution instead. How exactly that looks depends a bit on the driver you use, but it always follows the pattern of the linked duplicate. Commented Aug 1, 2019 at 10:11

2 Answers 2

Reset to default
1 
import pymysql
con = pymysql.connect("Host", "Username", "Password", "Database")
cur = con.cursor()
#taken from sample displayed
user_name = input("What is your name?:\n")
user_phone = int(input("What is your phone number:\n"))
user_city = input("Your city:\n")
cur.execute("insert into information(name,phone, city) values('{}', {}, 
'{}')".format(user_name, user_phone, user_city))
con.commit()
con.close()
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Never use string formatting or concatenation to put parameters into an SQL statement. Especially not if the values come from unprocessed user input. See what happens when you run your script and enter c'); DROP TABLE information -- at the Your city: prompt. Always use the parameters or args argument of the execute* methods to pass parameters to your queries.
0

you need to define below variables in order to use execute.

import cx_Oracle
DSN_TNS = cx_Oracle.makedsn(IP, PORT, SID)
DB_CRED = cx_Oracle.connect(USERNAME, PASSWORD, DSN_TNS)
curs = DB_CRED.cursor()
user_name= input("What is your name?:\n")
user_phone= input("What is your phone:\n")
user_city= input("Your city:\n")
sql_query = "insert into information(name,phone, city) values('{0}','{1}','{2}')".format(user_name, user_phone, user_city)
curs.execute(sql_query)
DB_CRED.commit()
DB_CRED.close()
Improve this answer

4 Comments

Never use string formatting or concatenation to put parameters into an SQL statement. Especially not if the values come from unprocessed user input. See what happens when you run your script and enter c'); DROP TABLE information -- at the Your city: prompt. Always use the parameters or args argument of the execute* methods to pass parameters to your queries.
@shmee your statement makes sense, can you please guide how to modify my answer accordingly.
Especially cx_Oracle offers several ways of safe parameter substitution. Generally in DB-API 2 compliant packages, you create an SQL string with placeholders, and pass either a sequence of values or a dictionary along with the SQL string to the execute method. E.g. cursor.execute("INSERT INTO table (col1, col2) VALUES (:1, :2)", ('value1', 'value2')) Have a look at the official docs I linked in my other comment and see some more elaborate examples in this tutorial.
However, note that the OP is tagged with mysql. The cursor's paramstyle differs from driver to driver.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.