Escaping confusion with Python 3 + MySQL

[Νίκος Βέργος]

Τη Κυριακή, 26 Μαρτίου 2017 - 11:59:21 μ.μ. UTC+3, ο χρήστης Larry Hudson έγραψε:
> On 03/26/2017 01:21 AM, Νίκος Βέργος wrote:
> > print('''UPDATE visitors SET (pagesID, host, ref, location, useros, browser, visits) VALUES (%s, %s, %s, %s, %s, %s, %s) WHERE host LIKE "%s"''', (pID, domain, ref, location, useros, browser, lastvisit, domain) )
> >
> > prints out:
> >
> > UPDATE visitors SET (pagesID, host, ref, location, useros, browser, visits) VALUES (%s, %s, %s, %s, %s, %s, %s) WHERE host LIKE "%s" (1, 'cyta.gr', 'Άμεση Πρόσβαση', 'Greece', 'Windows', 'Chrome', '17-03-24 22:04:24', 'cyta.gr')
> >
> > How should i write the cursor.execute in order to be parsed properly?
> > As i have it now %s does not get substituted.
> 
> You don't get the substitution because you're missing a %.
> 
> Change:
>      ... LIKE "%s"''', (pID, ...
> To:
>      ... LIKE "%s"''' % (pID, ...
> 
> -- 
>       -=- Larry -=-

No, i have tried it many times. 
It fails and is prone to sql injection within a cursor execute.

As i understood i can have UPDATE syntax be as similar to INSERT like

(pagesID, host, ref, location, useros, browser, visits) VALUES (%s, %s, %s, %s, %s, %s, %s)

each column needs to be set respectively as column1 = value1, column2 = value 2 and so on.