Do not use string formatting to insert variables into your queries, it opens you up to the risk of SQL injection (see e.g. What is SQL injection?) Instead, and per the documentation, you should use ?
to represent variables in the query, and let the library escape and insert them appropriately.
Next, you need to actually include wild cards along with model_name
if you want looser matching. At the moment you're creating:
select col1,col2,col3 from tablename where col3 like 'test' order by col3
You need to surround model_name
with the wildcards before passing it into the query, e.g. using '%%%s%%' % model_name
(note that you need to repeat each %
to escape it in printf
-style formatting) or one of the more modern string formatting options.
In this case, for example (using str.format
):
model_name1 = Master_Cursor.execute(
"select col1, col2, col3 from tablename where col3 like ? order by col3",
("%{}%".format(model_name),)
).fetchall()