带有SELECT语句的MySQL ProgrammingError 1064

Question

table = "tbl_" + platform + "_chks"
search = "%" + search + "%"

cur.execute('''SELECT check_id,check_name,%s, FROM %s WHERE %s LIKE %s;''', (field,table,field,search))

I'm getting the following error:

ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''tbl_linux_chks' WHERE 'check_name' LIKE '%test%'' at line 1)

Answer 1

Try this:

cur.execute("""SELECT check_id,check_name,{} 
               FROM tbl_{}_chks 
               WHERE {} LIKE '%%{}%%'
               """.format(field,platform,field,search))

The reason this driver developers separate arguments from query is security. So you should take care about the data in the variables before using this solution.

Answer 2

%s query parameter placeholders can only be used for that, query parameters, not for identifiers like table or column names. When query parameters are used, strings are automatically quoted and escaped before inserted in a query, but quoting for table and column names is different.

MySQL uses single or double quotes for quoting values, but it uses backticks (`) for quoting identifiers.

For this to work correctly, you need to create the query first (using string formatting), then you can execute that query using query parameters:

# `field` and `platform` must not come from user input, or be validated!
table = "tbl_" + platform + "_chks"
query = ('SELECT check_id, check_name, `{0}` FROM `{1}` WHERE `{0}` LIKE %s'
         .format(field, table))
cur.execute(query, ("%" + search + "%",))

Make really sure that platform and fields do not come from user input, otherwise you'll have an sql injection vulnerability.