Updating a filename's counter value failed each time

Jens Thoms Toerring jt at toerring.de
Mon Jun 17 13:54:33 EDT 2013 

In article <kpne3k$1066$1 at news.ntua.gr> you wrote:
> After a user selects a file from the form, that sleection of his can be 
> found form reading the variable 'filename'

> If the filename already exists in to the database i want to update its 
> counter and that is what i'm trying to accomplish by:

> -----------
> if form.getvalue('filename'):
>         cur.execute('''UPDATE files SET hits = hits + 1, host = %s, lastvisit = 
> %s WHERE url = %s''', (host, lastvisit, filename) )

There are (single) quotes missing around (at least) the file
name (the 'url' column) which I'm rather sure is a string -
you need them around all strings you use in SQL statements.

I don't know which database and interface you're using but I would
guess that many have the ability to inserting quotes where neces-
sary etc. E.g. with sqlite3 you would use

   cur.execute('UPDATE files SET hits = hits + 1, host = ?, lastvisit = ? '
               'WHERE url = ?', (host, lastvisit, filename) )

and the quotes required around (at least) the 'filename' string
will be inserted automatically.

Also take care to check the filename you insert - a malicous
user might cobble together a file name that is actually a SQL
statement and then do nasty things to your database. I.e. never
insert values you received from a user without checking them.

> For some reason this never return any data, because for troubleshooting 
> i have tried:

> data = cur.fetchone()

There's nothing that your SQL statement (if correct) would return,
so what do you expect to have returned by the fetchone() method?

Perhaps there's something like the 'rowcount' property in sqlite3
which returns the number of rows modified by an INSERT or UPDATE.

> Since for sure the filename the user selected is represented by a record 
> inside 'files' table why its corresponding counter never seems to get 
> updated?

I would guess because you forgot the uotes around string
values in your SQL statement which thus wasn't executed.

                          Regards, Jens
-- 
  \   Jens Thoms Toerring  ___      jt at toerring.de
   \__________________________      http://toerring.de

More information about the Python-list mailing list