sqlite3.OperationalError: near "s": syntax error
阿新 • • 發佈:2020-12-23
code
Traceback (most recent call last): File "test.py", line 190, in <module> cursor.execute(sql) sqlite3.OperationalError: near "s": syntax errorcode
Suppose name contains a single quote followed by a t, as in name = "don't look now" sql = "update foo set is_processed=1 where bar='"+name+"'" Then sql would equal In [156]: sql Out[156]: "update foo set is_processed=1 where bar='don't look now'" and sqlite3 will think the conditional is where bar='don' followed by a syntax error, t look now'. sqlite3 then raises sqlite3.OperationalError: near "t": syntax error This is an example of why you should always use parametrized SQL. To avoid thisproblem (and protect your code from SQL injection attacks), use parametrized SQL and pass a sequence (or, depending on the paramstyle, a mapping) of values as the second argument to cursor.execute: sql = "update foo set is_processed=1 where bar=?" cursor.execute(sql, [name]) When you pass arguments (suchas [name]) as the second argument to cursor.execute, sqlite3 will escape the single-quote for you.