I'm using MySQL with MATLAB, and I wish to obtain a title from user, and pass it towards the table in mySQL, but it's rejecting a flexible title instead of string

var_name=input('enter the name:');

mysql('insert into table (name) values (var_name)');

Any suggestions?

FIRST browse the comments for this question - you won't want to shoot yourself within the feet having a mysql injection security problem. You've been cautioned. Now, to resolve your present problem, without addressing the safety chance of the entire approach if this involves building SQL queries, continue reading...

In principle Amro has published two solutions for you personally which work, consider you haven't recognized it I'll explain further.

Your condition is that you're not telling MATLAB which areas of your query it will interpret like a literal string, and which parts it will interpret like a variable title. To resolve this, you can easily finish the literal string where appropriate, i.e. following the opening brackets, after which start them again prior to the closing brackets.

Among individuals literal strings you need to add the contents of the variables, so you have to tell MATLAB to concat your literal strings together with your variables, because the mysql command most likely needs the entire query like a single string. So essentially you want to capture the string 'insert into table(' and also the string held in the variable name and also the string ') values (' and so forth and glue them into one large string. Amro and Isaac have proven the two of you solutions of methods to get this done with little explanation:

horzcat('insert into table (', name, ') values (', var_name, ')')

uses the function horzcat, while

['insert into table (' name ') values (' var_name ')']

uses the truth that MATLAB goodies strings as arrays of figures to ensure that you can easily use square brackets to create a large array that contains the strings one by one.

The 3rd solution, provided by Amro, is a little more sublte:

sprintf('insert into table (%s) values (%s)',name,var_name)

It informs the function [cde] (that is made for your purpose) "go ahead and take string that we supply as first parameter and replace occurences of sprintf using the strings I supply because the following parameters. This last way is particularly helpful should you should also place amounts to your string, because %s may also convert amounts to string and enables fine treatments for the way they are formatted. You ought to have a detailed consider the help page for sprintf to understand more :-).

Do this rather:


as well as:

mysql(['insert into table (' name ') values (' var_name ')']);

In my opinion the issue you're getting is equivalent to the main one in this other question. It may sound like you need to produce a command string that itself consists of a mysql(sprintf('insert into table (%s) values (%s)',name,var_name)); delimited string, which may need you to escape each ' with another ' whenever you make your command string (note the very first example in this string handling documentation). Note also you might want to make use of the ' choice for the INPUT function:


Basically would enter var_name = input('Enter the name: ','s'); %# Treats input like a string commandString = sprintf('insert into table (name) values (''%s'')', var_name); %# Note the two apostrophes --^ mysql(commandString); for that input, the string Ken would retain the following:


Not to mention, as others have previously pointed out, beware injection vulnerabilities.