如何使用用户输入查询 SQL 服务器数据库？

Question

import pyodbc

def read(conn):
    print("Read")
    cursor = conn.cursor()

    userInputOpening = input("Enter a opening that you would like to know: ")
    print(userInputOpening)

    cursor.execute("select * from openings where name like '%{}%'".format(userInputOpening))
    
    for row in cursor:
        print(f"{row}")

conn = pyodbc.connect('Driver={SQL Server};'
                      'Server=SAM-PC\SQLEXPRESS;'
                      'Database=ChessOpenings;'
                      'Trusted_Connection=yes;'
)

read(conn)

I get a error with the user input when I use an ' within the name.

For example:

If the userInputOpening = london

It works and gives a list of all the openings that have something like "london" in them.

But...

If the userInputOpening = King's

It throws an error:

cursor.execute("select * from openings where name like '%{}%'".format(userInputOpening)) pyodbc.ProgrammingError: ('42000', "[42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near 's'. (102) (SQLExecDirectW); [42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark after the character string ''. (105)")

What do I need to put in the cursor.execute() so that it takes whatever the userInputOpening entered.

I want to treat it like a search engine and have it display all the results of the users search.

I also want to make it so that user doesn't have to be perfect with their title hence why I've added the LIKE in my SQL statement

Thanks!

Answer 1

The problem is the quotation mark in the input string (King's) Your SQL statement then becomes

where name like '%King's%' 

(hence an extra single quote error message). Change the single quote to two single quotes and it should work fine

 userInputOpening.replace("'", "''")

Not a python guy, but I believe that is the proper replace syntax