On Sat, Aug 9, 2014 at 12:51 PM, John Gordon <gor...@panix.com> wrote: > You probably meant something like this instead: > > sql = "DELETE FROM tblc_users WHERE user_email=%s" % line > > This will substitute the value of line for the %s. > > However, most (all?) SQL databases require string values to be enclosed > in single quotes, and your databse likely defines user_email as a string > value. So you probably actually want something like this: > > sql = "DELETE FROM tblc_users WHERE user_email='%s'" % line > > And even this solution isn't very good, because it allows SQL injection > attacks if your text file contains something nasty. If this is anything > other than a toy program, please take the time to look up prepared > statements.
All SQL databases require strings to be quoted (it's part of the SQL spec), although some broken database engines (which I shall not name) do allow other forms of quote than the apostrophe. But I would advise against even suggesting the interpolation method; there's absolutely no reason ever to do this sort of thing - it's just way too fragile. (Even if you think you can get it perfectly right now, do you really want to inflict the headache on the code's next maintainer?) Parameterized queries are a part of the Python database API, so go ahead and use them. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
