Python MySQLdb WHERE SQL LIKE

Directly inserting the data into the SQL string is not the best way to do this, as it is prone to SQL injection. You should change it to this:

c.execute("SELECT * FROM data WHERE params LIKE %s LIMIT 1", ("%" + param + "%",))


A better aproach (and safer), instead to use a string as "%" + param + "%" would be to escape % char in template string with another % (so, %%), so it'll be:

c.execute("SELECT * FROM data WHERE params LIKE '%%%s%%' LIMIT 1", (param,))

Tags:

Python

Mysql

Mysql Python

Recent Posts