Wrong Sql Syntax Because Of Single Or Double Quote In String
sql = 'INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) ' \ 'VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_re
Solution 1:
Your code is vulnerable towards SQL Injection here...
You either want to use prepared statement:
sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
"VALUES(%s, %s, %s, %s, %s) ON DUPLICATE KEY UPDATE gcm_reg_id =%s, id=LAST_INSERT_ID(id) "
data = (user_data['user_id'], user_data['email'], user_data['username'],
user_data['gcm_reg_id'], user_data['time_zone'], user_data['gcm_reg_id'])
cursor = conn.cursor()
cursor.execute(sql, data)
data = list(conn.escape_string, data)
sql = "INSERT IGNORE INTO users_time_zone (user_id, email, username, gcm_reg_id, time_zone) " \
"VALUES(%s, '%s', '%s', '%s', '%s') ON DUPLICATE KEY UPDATE gcm_reg_id ='%s', id=LAST_INSERT_ID(id) "\
% data
Post a Comment for "Wrong Sql Syntax Because Of Single Or Double Quote In String"