python sql variables sqlalchemy user-input

SQL Query with variable injection - SQL Alchemy - Python

i have a question regarding variable injection into sql query with sqlalchemy/python(3.8).

What i researched so far was adding %s and also email_address=? and then adding it (email_address) but without success

What i am trying to do is capture user input and run a select query dynamically.

print(" What is the email address??")
email_address = input()
conn = create_engine("mssql+pyodbc://test_table:[email protected]:3306/test_db?driver=SQL Server?Trusted_Connection=yes'", echo = False)
sql = pd.read_sql('Select id,email_address from test_table where email_address = email_address', conn)
print(sql)

Solution

try:

print(" What is the email address??")
email_address = input()
conn = create_engine("mssql+pyodbc://test_table:[email protected]:3306/test_db?driver=SQL Server?Trusted_Connection=yes'", echo = False)
sql = pd.read_sql('Select id,email_address from test_table where email_addres=?', conn, params=(email_addres,))
print(sql)