python SQL query: Bad operand type for unary +: 'str'

Question

I encounted this type of problem in python several times. And I only want to create a sql update query.

My script is like below

update1 = '''UPDATE User_Answer_Knowledge SET'''
+ "integration =" + str(21) + ", scope =" + str(12) + ", schedule =" + str(13) + ", cost =" + str(14) 
+ ", quality =" + str(15) + ", resource =" + str(16) + ", communication =" + str(17) + "WHERE User_Key = 1"

So what exactly is the problem? I also try the following codes, but same problem arised

update1 = '''UPDATE User_Answer_Knowledge SET'''
+ "integration =" + 21 + ", scope =" + 12 + ", schedule =" + 13 + ", cost =" + 14 
+ ", quality =" + 15 + ", resource =" + 16 + ", communication =" + 17 + "WHERE User_Key = 1"

update1 = '''UPDATE User_Answer_Knowledge SET'''
+ "integration =" + "21" + ", scope =" + "12" + ", schedule =" + "13" + ", cost =" + "14" 
+ ", quality =" + "15" + ", resource =" + "16" + ", communication =" + "17" + "WHERE User_Key = 1"

update1 = '''UPDATE User_Answer_Knowledge SET'''
+ "integration =" + '21' + ", scope =" + '12' + ", schedule =" + '13' + ", cost =" + '14' \+ ", quality =" + '15' + ", resource =" + '16' + ", communication =" + '17' + "WHERE User_Key = 1"

score 0 · Answer 1 · answered Oct 30 '20 at 10:42

You need some \ at the end of the lines:

update1 = '''UPDATE User_Answer_Knowledge SET''' \
+ "integration =" + str(21) + ", scope =" + str(12) + ", schedule =" + str(13) + ", cost =" + str(14) \
+ ", quality =" + str(15) + ", resource =" + str(16) + ", communication =" + str(17) + "WHERE User_Key = 1"

Otherwise the string declaration ends with the new line

score 0 · Answer 2 · answered Oct 30 '20 at 10:46

You seem to have split the statement over multiple lines. It therefore complains about the lines starting with a + sign.

There are multiple ways to fix this. You can:

write all the concatenation on one line
use the \ the end of the line
use parentheses around all the arguments

score 0 · Answer 3 · answered Oct 30 '20 at 10:48

0

@rdas has already answered but i would also like to highlight your query is vulnerable to sql injection You should parametrize the inputs something like this

"update table value = {0},value2={1}".format('21','99')
>>> 'update table value = 21,value2=99'

answered Oct 30 '20 at 10:48

Equinox

6,483
3
23
32

Good point about sql injection. However the code listed here does not parameterize the queries at all, but simply does a string formatting which has the exact same problem as string concatenation. – John Sloper Oct 30 '20 at 11:02

python SQL query: Bad operand type for unary +: 'str'

3 Answers3