0

I'm not familiar with SQL(or python to be honest), and i was wondering how to add variables into tables. This is what i tried:

import sqlite3
conn = sqlite3.connect('TESTDB.db')
c = conn.cursor()
c.execute('''CREATE TABLE IF NOT EXISTS table(number real, txt text)''')
r=4
c.execute('''INSERT INTO table(r,'hello')''')
conn.commit()
conn.close()

This doesn't work.I get the error, "TypeError: 'str' object is not callable"How do i make the table insert the variable r??

Thanks

Skulli01
  • 25
  • 4
  • Possible duplicate of [In Python, can you have variables within triple quotes? If so, how?](https://stackoverflow.com/questions/3877623/in-python-can-you-have-variables-within-triple-quotes-if-so-how) – Munim Munna Jul 13 '18 at 10:52
  • Why is this tagged mysql? – Shawn Jul 13 '18 at 20:42

2 Answers2

1

You have to bind values to placeholders in a prepared statement. See examples in the documentation.

Trying to build a query string on the fly with unknown values inserted directly in it is a great way to get a SQL injection attack and should be avoided.

Shawn
  • 47,241
  • 3
  • 26
  • 60
-1

Your problem is that you don't inject r properly into your query. This should work:

c.execute('''INSERT INTO table(''' + str(r) + ''','hello')''')

cheers

cuda12
  • 600
  • 3
  • 15