I'm using SQLite
This is my query. I want to retrieve three columns and order by one of those column name.
query = "SELECT user_name, %s, %s FROM highscores_skills ORDER BY %s DESC"
cursor.execute(query, [skill, skill_exp, skill_exp])
I'm getting skill from a GET request and skill_exp is basically '_exp' append to skill.
Unfortunately this isn't working. I'm getting column names as result. Like this, John, attack, attack_exp Doe, attack, attack_exp
where attack is value of skill and attack_exp is value of skill_exp
It works if I don't use params but that's prone to SQL Injection.
I'm not sure what's wrong. I've also tried using ? instead of %s as placeholder like how it is in Python SQLite but nothing.
Aucun commentaire:
Enregistrer un commentaire