I’m using cx_Oracle to access our database. I would like the user to be

Question

0

Editorial Team

Asked: June 15, 20262026-06-15T03:46:41+00:00 2026-06-15T03:46:41+00:00

I’m using cx_Oracle to access our database. I would like the user to be

0

I’m using cx_Oracle to access our database. I would like the user to be able to input the station ID, for example:

stationID=(whatever the user inputs upon prompting)

cursor.execute('''select cruise, station, stratum
          from union_fscs_svsta
          where station=stationID
          order by cruise''')

Because the statement needs to be a string, how do I incorporate a user-defined variable?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-15T03:46:42+00:00

How not to do it:

id = raw_input("Enter the Station ID")
query = "select foo from bar where station={station_id}"
cursor.execute(query.format(station_id=id))

If someone enters a malicious sql string, it will be executed.

Instead of using python to format the string, let the database backend handle it for you. Exactly how you do this depends on the database you’re using. I think (?) this is correct for Oracle, but I can’t test it. Some databases use different characters (e.g. ? instead of %s in the case of SQLite).

id = raw_input("Enter the Station ID")
query = "select foo from bar where station=%s"
cursor.execute(query, [id])

Edit: Apparently, cx_Oracle defaults to a “named” paramstyle (You can check this by having a look at cx_Oracle.paramstyle.). In that case, you’d do something like this:

query = "select foo from bar where station=:station_id"
cursor.execute(query, station_id=id)

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m using cx_Oracle to access our database. I would like the user to be

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply