i Don't get why it makes trouble

Philip Semanchuk philip at semanchuk.com
Thu Aug 13 22:09:04 CEST 2009

On Aug 13, 2009, at 2:56 PM, azrael wrote:

>>>> j
> [u'Tata', u'Oriovac', u'PrimorskoGoranska', u'hrvatska', u'Kuna']
>>>> len(j)
> 5
>>>> h = """SELECT distinct u.id_ulica, o.id_opcina, z.id_zupanija,  
>>>> d.id_drzava, v.id_valuta FROM   ulica as u, opcina as o, zupanija  
>>>> as z, drzava as d, valuta as v  WHERE  u.naziv = '%s' AND o.naziv  
>>>> = '%s' AND z.naziv = '%s' AND d.naziv = '%s' AND v.naziv =  
>>>> '%s'""" % (j)
> Traceback (most recent call last):
>  File "<string>", line 1, in <string>
> TypeError: not enough arguments for format string

Hi azrael,
You already have an answer to your question so I won't address that. I  
want to point out that this is a dangerous way to build SQL statements.

For instance, what happens if someone enters a city name of L'viv?   
Your SQL will break due to mismatched single quotes. This kind of code  
is vulnerable to SQL injection attacks:

Parameterized SQL is safer. Googling for 'parameterized SQL Python'  
should find some examples for you.

Good luck

More information about the Python-list mailing list