I am using prepared statements for my SQL insert query, and I am receiving the message that there is an error in the syntax.
I have tried using PHPMyAdmin and used the same query in that and substituted the placeholders for the real values and that query worked fine, therefore I am assuming it is something to do with my use of prepared statements.
def create_user(f_name, s_name, email, sex, dob, mobile=None):
try:
conn = mysql.connector.connect(host=host, user=user, passwd=password) # create a connection to the database
cursor = conn.cursor(prepared=True) # Creates a cursor that is expecting prepared
if mobile is not None: # if the mobile number is specified
sql_parameterized_query = ("""BEGIN;
INSERT INTO users (FirstName, Surname, Email, Dob, Gender, Mobile)
VALUES (%s, %s, %s, %s, %s, %s);
INSERT INTO passwords (UserID, hashedPass)
VALUES (LAST_INSERT_ID(),%s);
COMMIT;""")
query_array = (f_name, s_name, email, date_sql_format(dob), sex, mobile, hash_user_password)
else: # if the mobile number is not specified
sql_parameterized_query = ("""BEGIN;
INSERT INTO users (FirstName, Surname, Email, Dob, Gender)
VALUES(%s, %s, %s, %s, %s);
INSERT INTO passwords (UserID, hashedPass)
VALUES(LAST_INSERT_ID(),%s);
COMMIT;""")
query_array = (f_name, s_name, email, date_sql_format(dob), sex, hash_user_password) # Init array of values
cursor.execute(sql_parameterized_query, query_array) # Execute query
conn.commit()
I would like it to insert the details for a new user into the database all fields are required excluding the mobile phone number, that is why I have used the if statement to separate them, if this is poor practice then please guide me in the correct direction for that too as I could not find a more elegant way of solving that issue, anyway, when calling the function like so create_user("Ollie", "Pugh", "oliver.pugh#icloud.com", "M", "22-04-2001")
The variable query_array has the value of ('Ollie', 'Pugh', 'oliver.pugh#icloud.com', '2001-04-22', 'M', '$2b$12$RU9FRcNjgHlC78kjZA5OIeqT1s1K2LHndC2iDK8mcqkadGc8d9XO2')
The message I receive is: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'INSERT INTO users (FirstName, Surname, Email, Dob, Gender)' at line 2
The structure of the table Users is:
CREATE TABLE `users` (
`UserID` int(11) NOT NULL AUTO_INCREMENT,
`FirstName` varchar(255) NOT NULL,
`Surname` varchar(255) NOT NULL,
`Email` varchar(255) NOT NULL,
`Dob` date NOT NULL,
`Gender` char(1) NOT NULL,
`Mobile` varchar(11) DEFAULT NULL,
`timeOfCreation` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`Authority` varchar(255) NOT NULL DEFAULT 'User',
PRIMARY KEY (`UserID`)
) ENGINE=InnoDB AUTO_INCREMENT=23 DEFAULT CHARSET=latin1
The solution to my problem was to create a procedure, I named it CreateUser and consisted of:
BEGIN
START TRANSACTION;
IF mobile = "NULL" THEN
SET mobile = null;
END IF;
INSERT INTO `cl43-flexfit`.users (FirstName, Surname, Email, Dob, Gender,Mobile)
VALUES (f_name, s_name, email, dob, gender, mobile);
INSERT INTO `cl43-flexfit`.passwords (UserID, hashedPass)
VALUES (LAST_INSERT_ID(), passhash);
COMMIT;
END
And I have modified the python script to have two cursors as I could not use a USE statement within the procedure nor could I use one with a cursor that was configured for prepared statements.
try:
conn = mysql.connector.connect(host=host, user=user, passwd=password) # create a connection to the database
cursor = conn.cursor() # Have to have two as you can not select database with a prepared cursor
prep_cursor = conn.cursor(prepared=True) # Creates a cursor that is expecting prepared
if mobile is None: # if the mobile number is not specified
mobile = "NULL" # This is recognised as null in the procedure
sql_parameterized_query = "CALL CreateUser(%s, %s, %s, %s, %s, %s, %s)" # Calls the create user procedure
query_array = (f_name, s_name, email, date_sql_format(dob), sex, mobile, hash_user_password)
cursor.execute("USE `cl43-flexfit`;")
prep_cursor.execute(sql_parameterized_query, query_array) # Execute query
conn.commit()
I'm sure there are still better ways of doing this, but this does the job for now.
Related
Using the sqlite3 module, I created a database of clients in the bank. The client has an id as the primary key, name and surname (as one string), account number and a passcode. I also defined the token attribute in which the token of the user accessing the account will be stored. The problem that I have come across is that when I run the program in cmd.exe or in visual studio code it just says access granted and prints out 3 tokens without asking me to input anything, how do I change the code so that it asks me for account_name and passcode input in the terminal or in cmd.exe after I run the program?
import sqlite3
import uuid
conn = sqlite3.connect("bank.db")
cursor = conn.cursor()
cursor.execute(
"CREATE TABLE IF NOT EXISTS clients (id INTEGER PRIMARY KEY, name TEXT, account_number TEXT, code TEXT, token TEXT)"
)
cursor.execute(
"INSERT INTO clients (name, account_number, code) VALUES (?, ?, ?)",
("John Smith", "123456", "5082"),
)
cursor.execute(
"INSERT INTO clients (name, account_number, code) VALUES (?, ?, ?)",
("Jane Doe", "234567", "1428"),
)
cursor.execute(
"INSERT INTO clients (name, account_number, code) VALUES (?, ?, ?)",
("Bob Johnson", "345678", "7195"),
)
conn.commit()
def authenticate(account_number, code):
cursor.execute(
"SELECT * FROM clients WHERE account_number=? AND code=?", (account_number, code)
)
client = cursor.fetchone()
if not client:
return "Error: client not found"
token = str(uuid.uuid4())
cursor.execute(
"UPDATE clients SET token=? WHERE id=?", (token, client[0])
)
conn.commit()
return f"Access granted. Token: {token}"
print(authenticate("123456", "5082"))
print(authenticate("234567", "1428"))
print(authenticate("345678", "7195"))
print(authenticate("999999", "xxxxxx"))
conn.close()
I stepped over an problem while implementing a Database into my Python project.
I'm creating a new Table with the following Code:
mycursor = mydb.cursor()
sql = f"CREATE TABLE IF NOT EXISTS _{self.client_id} (tour_date DATE, tour_distance INT, tour_duration INT, tour_elevation_up INT, tour_elevation_down INT, tour_map_image TEXT, tour_name TEXT, tour_sport TEXT, tour_start_point TEXT, tour_type TEXT)"
mycursor.execute(sql)
mydb.commit()
I'm iterating over my Data and want to past it into the Table. But I won't want that if an entry already exists in the table it adds the same data again.
This is my code I currently have to Insert into my Table:
mycursor = mydb.cursor()
sql = f"INSERT INTO _{self.client_id} (tour_date, tour_distance, tour_duration, tour_elevation_up, tour_elevation_down, tour_map_image, tour_name, tour_sport, tour_start_point, tour_type) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s) "
val = (TourDate, TourDistance, TourDuration, TourElevation_up, TourElevation_down, TourMap_image, TourName, TourSport, TourStart_point, TourType)
mycursor.execute(sql, val)
mydb.commit()
So my question is how can I check if a entry already exists in the Table and then avoiding creating a duplicate?
you can "select count() from your_table_name where client_id='current_id'
if count() return int that is greater than 0, you should not insert it into the databse.
First - avoid to use TEXT without it necessary
Second - create table with necessary indexes:
CREATE TABLE IF NOT EXISTS _{self.client_id} (
tour_date DATE,
tour_distance INT,
tour_duration INT,
tour_elevation_up INT,
tour_elevation_down INT,
tour_map_image TEXT,
tour_name VARCHAR(64) PRIMARY KEY,
tour_sport VARCHAR(64),
tour_start_point VARCHAR(64),
tour_type VARCHAR(64)
);
Third - use INSERT IGNORE ... statement for prevent duplicates
I want to upsert with least effort, for simplicity, i reduce columns, this not work:
sql = '''INSERT INTO temp.tickets
(id, created_at, updated_at, emails, status)
VALUES
(%s, %s, %s, %s, %s)
ON CONFLICT (id)
DO UPDATE SET ( emails, status) values (%s,%s)
'''
cursor = cm.cursor()
## cm is a custom module
cursor.execute(sql, (ticket['id'],
ticket['created_at'],
ticket['updated_at'],
ticket['emails'], ticket['status'], )
This code show Error:
return super(DictCursor, self).execute(query, vars)
IndexError: tuple index out of range
What I need to change in the cursor.execute() to work?
The Bellow code work but I like to use %s instead of type: email = excluded.email for each columns
sql = '''INSERT INTO temp.tickets
(id, created_at, updated_at, emails, status)
VALUES
(%s, %s, %s, %s, %s)
ON CONFLICT (id)
DO UPDATE SET emails = excluded.eamils, status = excluded.status
'''
cursor = cm.cursor()
# cm is a custom module
cursor.execute(sql, (ticket['id'],
ticket['created_at'],
ticket['updated_at'],
ticket['emails'], ticket['status'], )
There are two Relevant Questions link1, link2
I would try something like this:
sql = '''INSERT INTO temp.tickets
(id, created_at, updated_at, emails, status)
VALUES
(%s, %s, %s, %s, %s)
ON CONFLICT (id)
DO UPDATE SET ( emails, status) values (%s,%s)
'''
cursor = cm.cursor()
## cm is a custom module
cursor.execute(sql, (ticket['id'],
ticket['created_at'],
ticket['updated_at'],
ticket['emails'],
ticket['status'],
ticket['emails'],
ticket['status'] )
Thre number of %s must match the number of parameters.
When Postgres encounters a captured conflict it basically creates a record called EXCLUDED that contains the values you attempted to insert, You can refer to this record in DO UPDATE. Try the following:
INSERT INTO temp.tickets
(id, created_at, updated_at, emails, status)
VALUES
(%s, %s, %s, %s, %s)
ON CONFLICT (id)
DO UPDATE
SET emails = excluded.emails
, status = excluded.status
, updated_at = excluded.updated_at -- my assumption.
...
You will have to format is into the requirements of your source language.
I have 2 things I needed help with:
1) I am unsure as to how I can check if a table exists in python using the sqlite3 library.
2) I am unsure as to how I can save variables from the program to a database. I want to be able to check if UserDetails exists before making the database.
I've been reading around and everyone is doing stuff differently,
Here is the section of my code that is responsible for saving the variables:
connection = sqlite3.connect("UserDetails.db")
crsr = connection.cursor()
#create table
sql_command = table_creator
crsr.execute(sql_command)
#insert values into table
data_to_insert = (username, first_name, surname, age, user_salt, password_hash, date_today)
sql_command = """INSERT INTO UserDetails VALUES ((?, ?, ?, ?, ?, ?, ?), data_to_insert);"""
crsr.execute(sql_command)
connection.commit() #save changes
connection.close() #terminate connection
and in case you want to see table_creator it looks like this:
table_creator = '''CREATE TABLE `UserDetails` (
`Username` VARCHAR(8) NOT NULL,
`Firstname` VARCHAR(10) NOT NULL,
`Surname` VARCHAR(20) NOT NULL,
`Age` INT(2) NOT NULL,
`Salt` VARCHAR(10) NOT NULL,
`Hash` VARCHAR(64) NOT NULL,
`Date` DATE NOT NULL,
PRIMARY KEY (`UserName`)
);'''
I will appreciate and feedback or support.
I am still learning to code, and my CompSci teacher doesnt teach us Python specifically, so what I know is self taught.
Oh and this is the error message I get:
Traceback (most recent call)
File "c:/Users/Arslan/Project A2/login.py", line 99, in <module>
save_details()
File "c:/Users/Arslan/Project A2/login.py", line 93, in save_details
crsr.execute(sql_command)
sqlite3.OperationalError: no such column: data_to_insert
How to check if a table exists or no :
The first way :
Use this query:
SELECT name FROM sqlite_master WHERE type='table' AND name='{table_name}';
Modify {table_name} with your table to check
There are two cases :
. If the cursor equal to 0 ==> the table does not exist
Else, the table exists
The second way:
Use :
PRAGMA table_info(table_name)
example:
The third way :
Use this query :
select 1 from table
It will return the constant 1 for every row of the table if the table exists, or nothing if not.
There are many other ways, but I listed the best in my opinion.
How to save variables from the program to a database:
To insert data into sqlite3, you can use :
cursor.execute("insert into UserDetails values (?, ?, ?, ?, ?, ?, ?)", (username, firstname, surname, age, salt, hash, date))
DON'T USE (SQL injection):
cursor.execute("insert into UserDetails values ('{1}', '{2}', '{3}', '{4}', '{5}', '{6}', '{7}')".format(username, firstname, surname, age, salt, hash, date))
Don't forget :
conn.commit()
Or you can use instead of it the connection as a context manager:
with conn:
# then cursor.execute..
1) I am unsure as to how I can check if a table exists in python using the sqlite3 library.
Use CREATE TABLE IF NOT EXISTS:
table_creator = '''CREATE TABLE IF NOT EXISTS `UserDetails` (
`Username` VARCHAR(8) NOT NULL,
`Firstname` VARCHAR(10) NOT NULL,
...
);'''
2) I am unsure as to how I can save variables from the program to a database.
You can pass variables for insert with the following syntax:
data_to_insert = (username, first_name, surname, age, user_salt, password_hash, date_today)
sql_command = '''INSERT INTO UserDetails VALUES (?, ?, ?, ?, ?, ?, ?)''';
crsr.execute(sql_command, data_to_insert )
I have been trying to return the values from two different tables, but can't seem to get the c.execute(query) function to return what I want it to. Currently my code will return the first c.fetchone()[0], but the second fetchone()[5] gives an error that it's out of range, which means it is probably still trying to get data from my 'clients' table which does not have 6 columns. I don't think I fully understand how MySQLdb works it's magic, but can't find any good examples of multi-table queries. Here is my code snippet below! Thanks!
c, conn = connection()
#check if already exists
x = c.execute("SELECT * FROM clients WHERE email = (%s)", (thwart(email),))
if int(x) > 0:
flash("That email already has an account, please try a new email or sign in.")
return render_template('register.html', form=form)
else:
c.execute("INSERT INTO clients (email, phone, password) VALUES (%s, %s, %s)", (thwart(email), thwart(phone), thwart(password)))
c.execute("SELECT cid FROM clients WHERE email = (%s)", (thwart(email),))
clientcid = c.fetchone()[0]
c.execute("INSERT INTO cpersonals (first_name, last_name, address, zip) VALUES (%s, %s, %s, %s)", (thwart(first_name), thwart(last_name), thwart(address), czip))
c.execute("SELECT reg_date FROM cpersonals WHERE cid = (%s)", (clientcid,))
reg_date = c.fetchone()[5]
rating = c.execute("SELECT rating FROM clients WHERE email = (%s)", (thwart(email),))
conn.commit()
flash("Thanks for registering!")
c.close()
conn.close()
Your query is SELECT reg_date FROM cpersonals .... You are only selecting one column. The reason fetchone()[5] fails is, there is no 6th column in the fetched record. Try 0 in place of 5.
Why were you using 5?