SQL query using current_user doesn't filter results
Question
The following query retrieves every reservation in the database, but I only want to get the reservations that the current user made. When I run the query in the mysql command line, it works. Why isn't this working in my app?
from flaskext.mysql import MySQL
from flask.ext.login import LoginManager
from flask_login import current_user
...
db = MySQL()
db.init_app(app)
...
cur = db.connect().cursor()
cur.execute("SELECT ReservationID FROM Reservation WHERE user_name=" + "'" + current_user + "';")
reservation_instance = cur.fetchall()
1 answers
solution1
1 ACCPTED 2015-10-07 17:47:55
current_user is a User instance. You can't just add it to a string, you need to use it's username (assuming you called the attribute "username").
You are currently open to SQL injection attacks. Never try to insert parameters into a query string yourself. Always use parameterized queries, which lets the driver do the work of building, quote, and escape the query properly.
cur.execute('SELECT ReservationID FROM Reservation WHERE user_name=?', [current_user.username])
The placeholder character (I used ? in the example) depends on the driver. Consider using SQLAlchemy , which normalizes this sort of thing and is much more powerful. There is the Flask-SQLAlchemy to make integration with Flask easier as well.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.