Python String Formats with SQL Wildcards and LIKE

Question

I\'m having a hard time getting some sql in python to correctly go through MySQLdb. It\'s pythons string formatting that is killing me.

My sql statement is using the

Answer 1

Those queries all appear to be vulnerable to SQL injection attacks.

Try something like this instead:

curs.execute("""SELECT tag.userId, count(user.id) as totalRows 
                  FROM user 
            INNER JOIN tag ON user.id = tag.userId 
                 WHERE user.username LIKE %s""", ('%' + query + '%',))

Where there are two arguments being passed to execute().