stackoom
  简体   繁体   中英

Pass a python list to an SQL Query

 原文  2015-07-03 12:31:43       python/ sql/ json

Question

res = db.execute("""
SELECT CAST ((SUM(r.SalesVolume)/1000.0) AS decimal(6,1))
FROM RawData r
INNER JOIN Product p
ON r.ProductId = p.ProductId 
INNER JOIN Calendar c
ON r.DayId = c.DayId
WHERE c.WeekCodeInYear BETWEEN 1 AND 12
AND 
c.YearId = 2014
AND p.Distributor IN (%s)
GROUP BY c.WeekCodeInYear """ % _studios)

_studios is a Python list and is a part of a JSON object. It can be read as: 

["WARNER","TF1","GAUMONT","PATHE","STUDIOCANAL","FRANCETV","M6SND"]

However when I try and execute this I get an error: 

ProgrammingError: (ProgrammingError) (207, "Invalid column name 'u'WARNER', u'TF1', 
u'GAUMONT', u'PATHE', u'STUDIOCANAL', u'FRANCETV', u'M6SND''.DB-Lib error message 20018, 
severity 16:\nGeneral SQL Server error: Check messages from the SQL

The Database however has all the columns specified. I guess it has to do with the format. Not sure though.

The query when printed in the command prompt can be seen as: 

SELECT CAST ((SUM(r.SalesVolume)/1000.0) AS decimal(6,1))
FROM RawData r
INNER JOIN Product p
ON r.ProductId = p.ProductId
INNER JOIN Calendar c
ON r.DayId = c.DayId
WHERE c.WeekCodeInYear BETWEEN 1 AND 12
AND
c.YearId = 2014
AND p.Distributor IN ([u'WARNER', u'TF1', u'GAUMONT', u'PATHE', u'STUDIOCANAL',
u'FRANCETV', u'M6SND'])
GROUP BY c.WeekCodeInYear

I notice the [ ] in the p.distributor line which is the probably issue?

1 answers

solution1
 1 ACCPTED  2015-07-03 12:42:47

This is indeed the issue. You're using the __repr__ version of the list. Instead, use str.join function to make it into a usable string, combined with a list comprehension to quote the strings: 

"""SELECT CAST ((SUM(r.SalesVolume)/1000.0) AS decimal(6,1))
FROM RawData r
INNER JOIN Product p
ON r.ProductId = p.ProductId
INNER JOIN Calendar c
ON r.DayId = c.DayId
WHERE c.WeekCodeInYear BETWEEN 1 AND 12
AND
c.YearId = 2014
AND p.Distributor IN ({})
GROUP BY c.WeekCodeInYear """.format(', '.join(["'" + studio + "'" for studio in _studios]))

This, however, becomes very hard to maintain and read if there's more complex queries with more parameters. The above solution's format statement is already hard to understand, this will get only worse.

It is also vulnerable to SQL injection, as roippi has pointed out. They are also right with their suggestion to use parametrized queries.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to pass python list of string to sql query python create list to pass through SQL query how to pass a python list in place of * in sql query Pass list of strings into raw sql query (Python/Django) Pass a python variable into an SQL query How to pass a list to the SQL query in django How to pass list values to SQL Select query? Passing a list to SQL query in Python Python-How I pass list or vector in pd.read_sql query Create a list based on groups from a csv file and pass on to SQL query using Python
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM