Click here to Skip to main content
15,886,519 members
Search within:


My Python code error with mysql select please help me
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
MySQL
Python
Basic
 
#=========login================
def loginCheck(self):
    Username = self.txt_name.text()
    Password = self.txt_Password.text()

    mydb = mysql.connector.connect( host="localhost",  user="root",  passwd="",  database ="mydatabase")
    mydb = mydb.cursor()
    mydb.execute("select * from tbl_name where name ='"Username"' && password = '"Password"'")

    if(len(myresult = mydb.fetchone()) > 0):
        print("user found !")
    else:
        print("User Not found !")


What I have tried:

<pre>  File "d:\from\fromlogin.py", line 20
    mydb.execute("select * from tbl_name where name = '"Username"' && password = '"Password"';")
                                                               ^
SyntaxError: invalid syntax

the message it
i try but it still so error like this
Posted
Updated 11-Jun-19 0:22am
Add a Solution

2 solutions

You need to use the + sign to concatenate literal strings with variable values:
Python
mydb.execute("select * from tbl_name where name = '" + Username + "' && password = '" + Password + "';")

However, you should never store passwords in clear text, it leaves your system vulnerable to hackers. Use a hash method to convert the password into a salted hash (Google it) for a more secure system.
 
Share this answer
 
Posted
In addition to what Richard has said, Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

And with your current code, I can bypass yo password checking completely by adding "'--" to the end of any username ...

See here for some info on how to hash passwords: Password Storage: How to do it.[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and stored them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.
 
Share this answer
 
Posted
Comments
Richard MacCutchan 11-Jun-19 6:42am    
I would have mentioned that, but I don't know how to do SQL with parameters in Python. My list of things to learn is getting longer rather than shorter. :(
OriginalGriff 11-Jun-19 6:45am    
Google knows:
https://pynative.com/python-mysql-execute-parameterized-query-using-prepared-statement/
Richard MacCutchan 11-Jun-19 6:56am    
Also at W3Schools, which is one of my gotos.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Need help on Python! ! ...
How to solve this Python error code problem
I can't seem to fix the error in this Python code. Can I know what it is? The error seems to appear in the 84th line.
Something is wrong with my Python code
I havewritten a code but there are few errors in this code please help me in sorting those errors and please provide me updated code
Use mysql DATE_FORMAT in Python
Mysql Python connection error
Inserting Values on MySQL using python
ERROR in executing Python code contains mysql code gives error internalerror: unread result found
Convert Python to C code

Advertise
Privacy
Cookies
Terms of Use
Last Updated 11 Jun 2019
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900