PLPGSQL在函数调用中使用单引号（python）

Question

I am having problems when using single quotes in a insert value for a plpgsql function It looks like this:

"AND (u.firstname LIKE 'koen') OR (u.firstname LIKE 'dirk')"

This is done with python

I have tried \\' and '' and ''' and '''' and ''''' and even ''''''' none of them seem to be working and return the following error:

[FAIL][syntax error at or near "koen" LINE 1: ...'u.firstname', 'ASC', 'AND (u.firstname LIKE 'koe...

Any help is appreciated!

Thanks a lot!

======================== EDIT =========================

Sorry! here is my plpgsql function:

CREATE FUNCTION get_members(IN in_company_uuid uuid, IN in_start integer, IN in_limit integer, IN in_sort character varying, IN in_order character varying, IN in_querystring CHARACTER VARYING, IN in_filterstring CHARACTER VARYING, IN OUT out_status integer, OUT out_status_description character varying, OUT out_value character varying[]) RETURNS record
    LANGUAGE plpgsql
    AS $$DECLARE

temp_record RECORD;
temp_out_value VARCHAR[];
--temp_member_struct MEMBER_STRUCT;
temp_iterator INTEGER := 0;

BEGIN

FOR temp_record IN EXECUTE '
SELECT DISTINCT ON
    (' || in_sort || ')
    u.user_uuid,
    u.firstname,
    u.preposition,
    u.lastname,
    array_to_string_ex(ARRAY(SELECT email FROM emails WHERE user_uuid = u.user_uuid)) as emails,
    array_to_string_ex(ARRAY(SELECT mobilenumber FROM mobilenumbers WHERE user_uuid = u.user_uuid)) as mobilenumbers,
    array_to_string_ex(ARRAY(SELECT c.name FROM targetgroupusers AS tgu LEFT JOIN membercategories as mc ON mc.targetgroup_uuid = tgu.targetgroup_uuid LEFT JOIN categories AS c ON mc.category_uuid = c.category_uuid WHERE tgu.user_uuid = u.user_uuid)) as categories,
    array_to_string_ex(ARRAY(SELECT color FROM membercategories WHERE targetgroup_uuid IN(SELECT targetgroup_uuid FROM targetgroupusers WHERE user_uuid = u.user_uuid))) as colors
FROM
    membercategories AS mc
LEFT JOIN
    targetgroups AS tg
ON
    tg.targetgroup_uuid = mc.targetgroup_uuid
LEFT JOIN
    targetgroupusers AS tgu
ON
    tgu.targetgroup_uuid = tg.targetgroup_uuid
LEFT JOIN
    users AS u
ON
    u.user_uuid = tgu.user_uuid
WHERE
    mc.company_uuid = ''' || in_company_uuid || '''
    ' || in_querystring || '
    ' || in_filterstring || '
ORDER BY
   ' || in_sort || ' ' || in_order || '
OFFSET
    ' || in_start || '
LIMIT
    ' || in_limit

LOOP
 temp_out_value[temp_iterator] = ARRAY[temp_record.user_uuid::VARCHAR(36),
                                       temp_record.firstname,
                                       temp_record.preposition,
                                       temp_record.lastname,
                                       temp_record.emails,
                                       temp_record.mobilenumbers,
                                       temp_record.categories,
                                       temp_record.colors];
 temp_iterator = temp_iterator+1;
END LOOP;

out_status := 0;
out_status_description := 'Members retrieved';
out_value := temp_out_value;

RETURN;

END$$;

Here is how i call the function:

def get_members(companyuuid, start, limit, sort, order, querystring = None, filterstring = None):
    logRequest()
    def doWork(cursor):        
        if not companyuuid:
            raise Exception("companyuuid cannot be None!")   

        queryarray = [str(s) for s in querystring.split("|")]        
        queryfields = ['firstname', 'preposition', 'lastname', 'emails', 'mobilenumbers']

        temp_querystring = ""
        for j in xrange(len(queryfields)):
            for i in xrange(len(queryarray)):
                temp_querystring += "(u.%s LIKE ''%%%s%'') OR "%(queryfields[j], queryarray[i])

        temp_querystring = "AND %s"%temp_querystring.rstrip(" OR ")
        temp_filterstring = filterstring
        print "querystring: %s"%temp_querystring

        heizoodb.call(cursor=cursor,
                      scheme="public", 
                      function="get_members", 
                      functionArgs=(companyuuid, start, limit, sort, order, temp_querystring, temp_filterstring),
                      returnsValue=True)    

And my latest error =D

com.gravityzoo.core.libs.sql.PostgreSQLDB.runSQLTransaction: not enough arguments for format string, result=[None]

SQLinjection to be added later ;)

Thanks!

Answer 1

I don't know Python well, but it probably supports data binding where you first prepare a statement (and you don't need quotes around the question marks there):

prepare("..... AND (u.firstname LIKE ?) OR (u.firstname LIKE ?)")

and then you call execute('koen', 'dirk') or whatever that function is called in Python.