-1
@app.route("/CreateAScheme",methods=['GET','POST'])
def CreateAScheme():
    if request.method == 'POST':
         userDetails = request.form
         Scheme = userDetails['Scheme']
         con = MySQL.connection.cursor()
         con.execute("CREATE TABLE %s (id int NOT NULL AUTO_INCREMENT, Course varchar(255) NOT NULL, Year varchar(255), PRIMARY KEY(id));",(Scheme))
         MySQL.connection.commit()
         con.close()
         flash("Succesfully Created")
         return "Succesfully"
    return render_template('index.html')

I am Getting an Error "not all arguments converted during string formatting"

user9778557
  • 15
  • 3
  • As an aside, you usually don't want to deal with dynamically named tables... What are you doing in the end? – AKX Apr 20 '20 at 12:43

2 Answers2

1

Simply wrapping a variable in parentheses, like you're doing in (Scheme) does nothing.

.execute() expects a parameter tuple, no matter if it's just an 1-tuple, i.e. (Scheme,):

con.execute(
  "CREATE TABLE %s (id int NOT NULL AUTO_INCREMENT, Course varchar(255) NOT NULL, Year varchar(255), PRIMARY KEY(id));",
  (Scheme,)
)
AKX
  • 152,115
  • 15
  • 115
  • 172
  • after using backtick it works but the table name is inside a single inverted comma For ex `%s` Table Name as:- CB then the output is 'CB'. Can you tell why this happens? – user9778557 Apr 20 '20 at 12:48
  • 1
    Oh, yeah. `%s` are meant for variable placeholders (`INSERT INTO ... VALUES (%s)`), not for syntactic elements and keywords (such as table names), so they get escaped using those rules. If you pre-validate `Scheme` to not contain anything illegal, so it doesn't expose you to SQL injection, you can, in this particular case, use regular `%` interpolation. – AKX Apr 20 '20 at 12:56
0
con.execute("CREATE TABLE %s (id int NOT NULL AUTO_INCREMENT, Course varchar(255) NOT NULL, Year varchar(255), PRIMARY KEY(id));" %(Scheme))

"Just Use regular % interpolation"

Thank You @AKX

user9778557
  • 15
  • 3