Python MySQLdb WHERE SQL LIKE

Question

I have recently started to learn Python and MySQL for web purposes and I have run into a following problem :

I want to pull out from a mysql database one record that contains any text that I enter in param section, howerver I am running into following problem when making a query:

traceback (most recent call last):
  File "/Users/Strielok/Desktop/test.py", line 13, in <module>
    c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1"  % (param))
TypeError: not enough arguments for format string

Here is my code:

import MySQLdb



db = MySQLdb.connect (host = "localhost",
                          user = "root",
                          passwd = "root",
                          db = "test")
param = "Test"

par = param

c = db.cursor()

c.execute("SELECT * FROM data WHERE params LIKE ('%s%') LIMIT 1"  % (param))


data = c.fetchall()
print data

c.close()

Thanks in advance.

Answer 1

Directly inserting the data into the SQL string is not the best way to do this, as it is prone to SQL injection. You should change it to this:

c.execute("SELECT * FROM data WHERE params LIKE %s LIMIT 1", ("%" + param + "%",))

Answer 2

A better aproach (and safer), instead to use a string as "%" + param + "%" would be to escape % char in template string with another % (so, %%), so it'll be:

c.execute("SELECT * FROM data WHERE params LIKE '%%%s%%' LIMIT 1", (param,))