How can I place a parameter marker inside single quotes for sql parameterized query inside python

Question

I want to write an sql openquery in python. The normal sql queries I was writing like:

sql_query = select name from emp where id= %s 

And I was executing it like: cursor.execute(sql_query, (id_value,))

And It works well.

But, Now I have an openquery which is something like:

sql_query = select * from openquery([LS], 'select name from \"DB\"."view" where \"id\" Like %s') 

If I execute with: cursor.execute(sql_query, (id_value,))

I will get an error saying:

SQL contains 0 parameter markers but 1 parameter is supplied.

I understand this error is coming because %s is specified inside a single quoted query. But I can't remove that single quotes because the query is not working without it in SQL server itself.

I have tried to run the query with:

cursor.execute(sql_query % (id_value))

And it works. But I dont want to use this because this format is prone to SQL injection.

So, how can I write a secure parameterized openquery in python.

Answer 1

Please, remove extra comma(",") after in parameter block after "id_value":

sql_query = select * from openquery([LS], 'select name from \"DB\"."view" where \"id\" Like %s')    

cursor.execute(sql_query, (id_value))