sqlite3.OperationalError:接近“%”:语法错误:sqlite3.connect('site.db')。execute()

时间:2019-10-24 18:43:48

标签: javascript python html sqlite flask

我刚刚学习了如何使用sqlite3从前端编辑条目,但是调试语法错误时遇到了一些麻烦。

cur.execute("SELECT * FROM clubs WHERE id= %s", id)行是导致错误的原因。我已经尝试过cur.execute("SELECT * FROM clubs WHERE id= %s", [id])cur.execute("SELECT * FROM clubs WHERE id= %s", [club_id]),但是没有什么可以解决问题。

routes.py 

@clubs.route('/user_clubs/<int:user_id>', methods=['GET', 'POST'])
@login_required
def user_clubs(user_id):
    user = User.query.get_or_404(user_id)
    clubs = user.clubs
    form = ClubRegistrationForm()
    if form.validate_on_submit():
        advisor = User.query.filter_by(email=form.email.data).first()
        # TODO: Change this back to `ROLES['teacher']`
        if not advisor or advisor.role != ROLES['student']: 
            flash('That email does not belong to an advisor, or does not exist at all!', 'danger')
            # TODO: should this be a redirect?
            return render_template('user_clubs.html', clubs=clubs, user=user, form=form)
        club = Club(name=form.club_name.data)
        # TODO: ADD CHECK UNIQUE CLUB
        db.session.add(club)
        club.members.append(advisor)
        user.clubs.append(club)
        db.session.commit()
        flash('Your club has been created!', 'success')
        return redirect(url_for('clubs.user_clubs', user_id=user_id))
    return render_template('user_clubs.html', clubs=clubs, user=user, form=form) #change to num_club_members


@clubs.route('/edit_clubs/<int:user_id>/<int:club_id>', methods=['GET', 'POST'])
@login_required
def user_clubs_edit(user_id, club_id):
    user = User.query.get_or_404(user_id)
    club = Club.query.get_or_404(club_id)
    clubs = user.clubs
    id=str(club_id)
    # create cursor
    cur = sqlite3.connect('site.db')

    # get club by id
    cur.execute("SELECT * FROM clubs WHERE id= %s", id)

    club = cur.fetchone()
    cur.close()

    # get form
    form = ClubRegistrationForm()

    # populate fields
    form.club_name.data=club['club_name']
    form.advisor.data=club['advisor']

    if form.validate_on_submit():
        advisor = User.query.filter_by(email=form.email.data).first()
        # TODO: Change this back to `ROLES['teacher']`
        if not advisor or advisor.role != ROLES['student']: 
            flash('That email does not belong to an advisor, or does not exist at all!', 'danger')
            # TODO: should this be a redirect?
            return render_template('user_clubs.html', clubs=clubs, user=user, form=form)
        club = Club(name=form.club_name.data)
        # TODO: ADD CHECK UNIQUE CLUB
        db.session.add(club)
        club.members.append(advisor)
        user.clubs.append(club)
        db.session.commit()
        flash('Your club has been updated!', 'success')
        return redirect(url_for('clubs.user_clubs_edit', user_id=user_id))
    return render_template('user_clubs_edit.html', club=club, user=user, form=form)

我希望将具有指定ID的俱乐部提取到club=cur.fetchone()中,以便我可以访问该俱乐部的数据并将其输入到新表格中。

1 个答案:

答案 0 :(得分:0)

使用与SQLite交织在一起以防止SQL攻击的Python变量的安全方法如下:

cur.execute("SELECT * FROM clubs WHERE id=?", (id))
相关问题
最新问题