0

I am trying to insert values into a row of mysql database in a way that not be vulnerable to injection, but gives my syntax error. This is a piece of my code which causes the error:

cursor.execute("INSERT INTO api.mytable(id) VALUES (:id);", {"id": 1})

and error:

ERROR in connection: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':id)' at line 1")

code you please tell me what's the wrong with my code?

Braiano
  • 335
  • 6
  • 26

1 Answers1

1

I am assuming id is given as some kind if input! Hence you can always check for the required format and allow only required ones! This is to avoid SQL injection!. Hence the natural formatting as shown below should do the job! And this is very basic level checking!

id_in = input("Here is the id taken " )  ## can be through any source . It is just an example 

if isinstance(id_in,int): ##Please mention the required format here I am assuming it as integer
    cursor.execute("INSERT INTO api.mytable(id) VALUES (%s);", (id_in))
else:
    ##do some  stuff here
McLovin
  • 555
  • 8
  • 20