ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'S SIZE 11.5 NEW IN BOX', '$49.99')' at line 1")
MRAB
python at mrabarnett.plus.com
Mon Dec 9 13:06:21 EST 2013
On 09/12/2013 09:32, Daniel Watkins wrote:
> On Mon, Dec 09, 2013 at 12:41:57AM -0800, Jai wrote:
>> sql = """insert into `category` (url, catagory,price) VAlUES ('%s', '%s', '%s')"""%(link1,x,y)
>> sql = unicodedata.normalize('NFKD', sql).encode('ascii','ignore')
>> cursor.execute(sql)
>>
>> ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'S SIZE 11.5 NEW IN BOX', '$49.99')' at line 1")
>
> Though you haven't given the full traceback, I suspect that the lines
> above are what is causing your problem. My best guess is that you're
> being hit by a form of SQL injection[0], in that the values you are
> combining in to your query have single quotes which are resulting in an
> SQL statement that looks like:
>
> insert into `category` (url, category, price) VALUES ('...', 'MEN'S SIZE 11.5 NEW IN BOX', '$49.99');
>
> As you can see, the second value you are passing has mismatched quotes.
> This is a common problem, so the MySQLdb library handles it by allowing
> you to pass in the values you want to cursor.execute; it then takes care
> of escaping them correctly:
>
> sql = """insert into `category` (url, catagory,price) VAlUES ('%s', '%s', '%s')"""
> cursor.execute(sql, (link1, x, y))
>
You shouldn't put quotes around the placeholders:
sql = """insert into `category` (url, catagory,price) VAlUES (%s,
%s, %s)"""
cursor.execute(sql, (link1, x, y))
> I'm not 100% sure what the Unicode normalisation is meant to be doing,
> so you'll have to work out how to integrate that yourself.
>
>
> Cheers,
>
> Dan
>
>
> [0] https://en.wikipedia.org/wiki/SQL_injection
>
More information about the Python-list
mailing list