从python代码将字典保存到mysql表时出错

Question

I am trying to save a dict into mysql table, whose keys are columns and values are rows. This dict has keys which is a subset of all the columns of a table. I am using below code in python

sql_dict = {'deviceID': 'fd00::212:4b00:1957:d1b1', 'date': '2020-02-22', 'timestamp': '18:39:29.620329', 'counter': 72, 'rssi': 59, 'CH_1_Leavinng_Chiller_Liq_Temp': 7.7, 'CH_1_Motor_Current_limit_SP': 7.8, 'CH_1_Leaving_Condensor_liq_temp': 36.1, 'CH_1_Motor_Current_Percentage': 9.9, 'CH_1_Discharge_temp': 45.1, 'CH_1_Oil_Sump_temp': 45.6, 'CH_1_Remote_start_stop': 0.0, 'CH_1_Variable_speed_type': 0.0, 'Bypass line temp sensor ': -1274.8}

sql_insert_query = """ INSERT INTO Data {} VALUES {}""".format(tuple(sql_dict.keys()), tuple(sql_dict.values()))

I get an error when i run my code

Failed inserting record into python_users table 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''deviceID', 'date', 'timestamp', 'counter', 'rssi', 'CH_1_Leavinng_Chiller_Liq_T'

I don't understand where am I going wrong. Can someone help me with this ?

My table desc for reference

Answer 1

Use the following syntax to insert values into your database

cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
cursor.execute("INSERT INTO table VALUES (?, ?, ?)", (var1, var2, var3))

Else you are opening yourself to SQL injection attacks. https://xkcd.com/327/

Another problem is the keys in your dictionary don't match the table columns in your screenshot. deviceID until rssi matches but CH_1_Leavinng_Chiller_Liq_Temp doesn't match. So the error likely comes from here.

edit :
From your example this would be the SQL query:

INSERT INTO Data (
  'deviceID', 'date', 'timestamp', 
  'counter', 'rssi', 'CH_1_Leavinng_Chiller_Liq_Temp', 
  'CH_1_Motor_Current_limit_SP', 'CH_1_Leaving_Condensor_liq_temp', 'CH_1_Motor_Current_Percentage', 
  'CH_1_Discharge_temp', 'CH_1_Oil_Sump_temp', 'CH_1_Remote_start_stop', 
  'CH_1_Variable_speed_type', 'Bypass line temp sensor '
) VALUES (
  'fd00::212:4b00:1957:d1b1', '2020-02-22', '18:39:29.620329', 
  72, 59, 7.7, 
  7.8, 36.1, 9.9, 
  45.1, 45.6, 0.0, 
  0.0, -1274.8
)"

The datatype for counter and rssi is varchar . Here you are however providing a number, not string.

Answer 2

You can't use tuple to format SQL strings as you are doing, for a couple of reasons:

• It doesn't work for table column names, because they should not be surrounded with single quotes. Surround them with backticks instead, so your INSERT statement looks like

    INSERT INTO Data (`deviceId`, `date`, `timestamp`, ...

• If a string value contains a ' character, this will cause Python to output the string using double-quote rather than single-quote characters. Whether MySQL accepts double-quoted string literals or not I don't know, but other databases definitely don't. There is also, as pointed out by @TinNguyen, the risk of SQL injection, so you should be using parameterised SQL for your string values.

Instead, try something like the following:

column_names = ", ".join("`{0}`".format(key) for key in sql_dict)
placeholders = ", ".join(["%s"] * len(sql_dict))
sql_insert_query = """ INSERT INTO Data ({}) VALUES ({})""".format(column_names, placeholders)
# execute the insert using cursor.execute(sql_insert_query, tuple(sql_dict.values()))

Here, we build up the parts of the INSERT statement using the .join() method on strings: it looks a bit odd because it's a method on the joining string, ", " . Note that neither of column_names nor placeholders begin nor end with parentheses ( and ) so these must be added to the SQL string we call .format() on: I've replaced both occurrences of {} with ({}) .