Python-sqlite3 sqlite3.OperationalError:接近“%”:语法错误?
[英]Python - sqlite3 sqlite3.OperationalError: near “%”: syntax error?
问题描述
First, before everything, I realize this question has been asked beforehand. 
首先,首先,我意识到这个问题已经事先提出。 I've looked for several hours trying to solve my problem, but I haven't been able to correctly implement a solution and I'm still running into the error. 我已经花了几个小时试图解决我的问题,但是我仍然无法正确实现解决方案,而且我仍然遇到错误。
I'm trying to INSERT into a table(would like the table name to be dynamic, but I believe this is also not allowed?) using a variable string. 我正在尝试使用变量字符串将表插入到表中(希望表名是动态的,但我相信这也是不允许的吗?)。 From the studying I've done it seems that this is not allowed / good practice because it leaves the code open to SQL Injection. 从我所做的研究来看,这似乎是不允许的/好的习惯,因为这会使代码对SQL Injection开放。
I've tried to replace %s with ? 我试图用%s代替? but it still returns the same error with "?" 但是它仍然返回带有“?”的相同错误。 instead of "%?" 代替 ”%?”
Here is the code i'm using. 这是我正在使用的代码。 Most of it is credited to James Mills, I'm just trying to use the statements he makes from a CSV for sqlite3 INSERT statements, if that makes sense. 大部分内容都归功于James Mills,我只是想将他从CSV生成的语句用于sqlite3 INSERT语句,如果可以的话。
"""csv2sql
Tool to convert CSV data files into SQL statements that
can be used to populate SQL tables. Each line of text in
the file is read, parsed and converted to SQL and output
to stdout (which can be piped).
A table to populate is given by the -t/--table option or
by the basename of the input file (if not standard input).
Fields are either given by the -f/--fields option (comma
separated) or determinted from the first row of data.
"""
__version__ = "0.4"
__author__ = "James Mills"
__date__ = "3rd February 2011"
import os
import csv
import sys
import optparse
import sqlite3
USAGE = "%prog [options] <file>"
VERSION = "%prog v" + __version__
def parse_options():
parser = optparse.OptionParser(usage=USAGE, version=VERSION)
parser.add_option("-t", "--table",
action="store", type="string",
default=None, dest="table",
help="Specify table name (defaults to filename)")
parser.add_option("-f", "--fields",
action="store", type="string",
default=None, dest="fields",
help="Specify a list of fields (comma-separated)")
parser.add_option("-s", "--skip",
action="append", type="int",
default=[], dest="skip",
help="Specify records to skip (multiple allowed)")
opts, args = parser.parse_args()
if len(args) < 1:
parser.print_help()
raise SystemExit, 1
return opts, args
def generate_rows(f):
sniffer = csv.Sniffer()
dialect = sniffer.sniff(f.readline())
f.seek(0)
reader = csv.reader(f, dialect)
for line in reader:
yield line
def main():
opts, args = parse_options()
filename = args[0]
if filename == "-":
if opts.table is None:
print "ERROR: No table specified and stdin used."
raise SystemExit, 1
fd = sys.stdin
table = opts.table
else:
fd = open(filename, "rU")
if opts.table is None:
table = os.path.splitext(filename)[0]
else:
table = opts.table
rows = generate_rows(fd)
if opts.fields:
fields = ", ".join([x.strip() for x in opts.fields.split(",")])
else:
fields = ", ".join(rows.next())
for i, row in enumerate(rows):
if i in opts.skip:
continue
values = ", ".join(["\"%s\"" % x for x in row])
print "INSERT INTO %s (%s) VALUES (%s);" % (table, fields, values)
con = sqlite3.connect("school")
cur = con.cursor()
cur.executemany("INSERT INTO %s (%s) VALUES (%s);", (table, fields, values))
con.commit()
con.close()
if __name__ == "__main__":
main()
Here is an example of the output: 这是输出示例:
> INSERT INTO data (School Name, Summer 15, Summer 16, Summer 17) VALUES ("School One", "126", "235", "453");
Traceback (most recent call last):
File "sniffer.py", line 103, in <module>
main()
File "sniffer.py", line 98, in main
cur.executemany("INSERT INTO %s (%s) VALUES (%s);", (table, fields, values))
sqlite3.OperationalError: near "%": syntax error
The sniffer stuff is the get the names of the columns and their values in which I try and put into the SQL statement. 嗅探器的东西是获取列的名称及其值,我尝试将它们放入SQL语句中。
I've tried many things, but I haven't been able to wrap my head around a solution! 我已经尝试了很多事情,但是还无法解决问题!
Please don't bash me! 请不要害我! I'm new to all of this and just need a little help! 我是这一切的新手,只需要一点帮助!
Any help is appreciated! 任何帮助表示赞赏!
1 个解决方案
解决方案1
1 2017-05-17 21:30:38
Keeping in mind the possibility of SQL-Injection Attack and making sure to sanitise your inputs you can prepare your query like this: 注意SQL-Injection攻击的可能性,并确保清理输入,您可以像这样准备查询:
if opts.fields:
fields = ", ".join([x.strip() for x in opts.fields.split(",")])
else:
fields = ", ".join(rows.next())
qry = "INSERT INTO %s (%s) VALUES (%s);" % (table,
fields,
",".join("?"*len(rows)),)
Please note that for the parameter substitution in SQLite you need to use ? 请注意,对于SQLite中的参数替换,您需要使用? s. s。
cur.executemany(qry, (rows,))
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.