-5
import MySQLdb
from datetime import datetime

ID_RFID=raw_input("Masukkan nomor: ")
time=datetime.now().strftime('%H:%M:%S')
print time

db=MySQLdb.connect(host="localhost", user="root", passwd="", db="rfid")
cursor=db.cursor()

cursor.execute("SELECT ID_Pegawai, Nama_Pegawai, Jabatan FROM data_pegawai WHERE ID_RFID='%s'" %(ID_RFID))
data=cursor.fetchall()
for row in data:
    ID_Pegawai=str(row[0])
    Nama_Pegawai=str(row[1])
    Jabatan=str(row[2])

    strID_Pegawai=''.join(ID_Pegawai)
    strNama_Pegawai=''.join(Nama_Pegawai)

    print "ID Pegawai= " +ID_Pegawai
    print "Nama Pegawai= " +Nama_Pegawai
    print "Jabatan= " +Jabatan

    if time>'08:00:00':
        telat="INSERT INTO  presensi (ID_Pegawai, Nama_Pegawai, Jam_Masuk, Status) VALUES (%s, %s, %s, 'Terlambat')" (strID_Pegawai, strNama_Pegawai, time)
        cur.execute(telat)
        print ("Status Anda= Anda Datang Terlambat")
    else:
        telat="INSERT INTO  presensi (ID_Pegawai, Nama_Pegawai, Jam_Masuk, Status) VALUES (%s, %s, %s, 'On Time')" (strID_Pegawai, strNama_Pegawai, time)
        cur.execute(telat)
        print ("Status Anda= Anda Datang Tepat Waktu")

I have code in Python like that and when I ran that code, I found an error: TypeError: 'str' object is not callable Would you like to help me fixing this error? I would appreciate it. :') thank you anw, and pardon me for my bad English.

Pitkahismi Wimadatu
  • 3
  • 1
  • 2

1 Answers1

3

You have two places where you are incorrectly trying to formating SQL string(s):

telat="INSERT INTO presensi (ID_Pegawai, Nama_Pegawai, Jam_Masuk, Status) VALUES (%s, %s, %s, 'Terlambat')" (strID_Pegawai, strNama_Pegawai, time) cur.execute(telat)

and:

telat="INSERT INTO  presensi (ID_Pegawai, Nama_Pegawai, Jam_Masuk, Status) VALUES (%s, %s, %s, 'On Time')" (strID_Pegawai, strNama_Pegawai, time)
cur.execute(telat)

You are incorrectly trying to format your SQL string:

>>> s = "%s %s %s" ("foo", "bar", "baz")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: 'str' object is not callable

What you probably meant was:

>>> s = "%s %s %s" % ("foo", "bar", "baz")
>>> s
'foo bar baz'

However to help prevent SQL Injection attacks on your application you should be doing:

telat="INSERT INTO  presensi (ID_Pegawai, Nama_Pegawai, Jam_Masuk, Status) VALUES (?, ?, ?, 'On Time')"
cur.execute(telat, strID_Pegawai, strNama_Pegawai, time)

See: Bobby Tables: A guide to preventing SQL Injection and related SO question Protecting against SQL injection in python

Despite the community downvoting of this question and "close votes" I feel obligated to provide this answer to help prevent Python web applications from being vulnerable to common attack vectors from poor tutelage."

DO NOT use "INSERT|SELECT|UPDATE|DELETE ... %s %s %s" % (...) form!

Community
  • 1
  • 1
James Mills
  • 18,669
  • 3
  • 49
  • 62
  • 1
    @cdarke Thanks taken care of :) There are two places where the OP is incorrectly formatting SQL string(s) :) – James Mills May 17 '15 at 09:13
  • I've changed them but there's an error: Traceback (most recent call last): File "C:\Python34\manggildatabase", line 31, in cursor.execute(ontime, strID_Pegawai, strNama_Pegawai, time) TypeError: execute() takes at most 3 arguments (5 given) – Pitkahismi Wimadatu May 17 '15 at 19:48