0

I have an API endpoint as follows:

http://127.0.0.1:5000/data?params= spanish, italian, english

and this is my code in myflask.py:

@app.route("/data", methods=["GET"])
def my_api():
query = "SELECT * from tablex WHERE "
params = request.args.get("params")

if params:
   query += "col IN ('{}');".format(params)

What I expect in output is this query:

"SELECT * from tablex WHERE col in ('spanish', 'italian', 'english');"

But what I get is

"SELECT * from tablex WHERE col in ('spanish, italian, english');"

I also tried this:

query += "col IN ('{}');".format(','.join(params)) but didn't work

Improve this question
3
  • 1
    Don't do sql querries that way. Search the Web for "sql injection" to see why. Don't ever trust what you receive in a request Commented Nov 10, 2019 at 21:38
  • Thanks for your point. Do you have any suggestion or example I can prevent this injection? Commented Nov 10, 2019 at 21:47
  • because all I find is in cursor.execute() but I need to preper the query and pass to execute Commented Nov 10, 2019 at 21:49

1 Answer 1

Reset to default
1

Maybe this can help you :

languages  = ['spanish','italian','english']
string = ','.join(['%s'] * len(languages))
print("SELECT * from tablex WHERE col  IN (%s)" % string,tuple(languages))

But I would recommend that you change the SELECT for a PROCEDURE.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.