stackoom
  简体   繁体   中英

PLPGSQL using single quotes in function call (python)

 原文  2010-12-13 23:11:46       python/ quotes/ plpgsql

Question

I am having problems when using single quotes in a insert value for a plpgsql function It looks like this:

"AND (u.firstname LIKE 'koen') OR (u.firstname LIKE 'dirk')"

This is done with python

I have tried \\' and '' and ''' and '''' and ''''' and even ''''''' none of them seem to be working and return the following error:

[FAIL][syntax error at or near "koen" LINE 1: ...'u.firstname', 'ASC', 'AND (u.firstname LIKE 'koe...

Any help is appreciated!

Thanks a lot!

======================== EDIT =========================

Sorry! here is my plpgsql function: 

CREATE FUNCTION get_members(IN in_company_uuid uuid, IN in_start integer, IN in_limit integer, IN in_sort character varying, IN in_order character varying, IN in_querystring CHARACTER VARYING, IN in_filterstring CHARACTER VARYING, IN OUT out_status integer, OUT out_status_description character varying, OUT out_value character varying[]) RETURNS record
    LANGUAGE plpgsql
    AS $$DECLARE

temp_record RECORD;
temp_out_value VARCHAR[];
--temp_member_struct MEMBER_STRUCT;
temp_iterator INTEGER := 0;

BEGIN

FOR temp_record IN EXECUTE '
SELECT DISTINCT ON
    (' || in_sort || ')
    u.user_uuid,
    u.firstname,
    u.preposition,
    u.lastname,
    array_to_string_ex(ARRAY(SELECT email FROM emails WHERE user_uuid = u.user_uuid)) as emails,
    array_to_string_ex(ARRAY(SELECT mobilenumber FROM mobilenumbers WHERE user_uuid = u.user_uuid)) as mobilenumbers,
    array_to_string_ex(ARRAY(SELECT c.name FROM targetgroupusers AS tgu LEFT JOIN membercategories as mc ON mc.targetgroup_uuid = tgu.targetgroup_uuid LEFT JOIN categories AS c ON mc.category_uuid = c.category_uuid WHERE tgu.user_uuid = u.user_uuid)) as categories,
    array_to_string_ex(ARRAY(SELECT color FROM membercategories WHERE targetgroup_uuid IN(SELECT targetgroup_uuid FROM targetgroupusers WHERE user_uuid = u.user_uuid))) as colors
FROM
    membercategories AS mc
LEFT JOIN
    targetgroups AS tg
ON
    tg.targetgroup_uuid = mc.targetgroup_uuid
LEFT JOIN
    targetgroupusers AS tgu
ON
    tgu.targetgroup_uuid = tg.targetgroup_uuid
LEFT JOIN
    users AS u
ON
    u.user_uuid = tgu.user_uuid
WHERE
    mc.company_uuid = ''' || in_company_uuid || '''
    ' || in_querystring || '
    ' || in_filterstring || '
ORDER BY
   ' || in_sort || ' ' || in_order || '
OFFSET
    ' || in_start || '
LIMIT
    ' || in_limit

LOOP
 temp_out_value[temp_iterator] = ARRAY[temp_record.user_uuid::VARCHAR(36),
                                       temp_record.firstname,
                                       temp_record.preposition,
                                       temp_record.lastname,
                                       temp_record.emails,
                                       temp_record.mobilenumbers,
                                       temp_record.categories,
                                       temp_record.colors];
 temp_iterator = temp_iterator+1;
END LOOP;

out_status := 0;
out_status_description := 'Members retrieved';
out_value := temp_out_value;

RETURN;

END$$;

Here is how i call the function: 

def get_members(companyuuid, start, limit, sort, order, querystring = None, filterstring = None):
    logRequest()
    def doWork(cursor):        
        if not companyuuid:
            raise Exception("companyuuid cannot be None!")   

        queryarray = [str(s) for s in querystring.split("|")]        
        queryfields = ['firstname', 'preposition', 'lastname', 'emails', 'mobilenumbers']

        temp_querystring = ""
        for j in xrange(len(queryfields)):
            for i in xrange(len(queryarray)):
                temp_querystring += "(u.%s LIKE ''%%%s%'') OR "%(queryfields[j], queryarray[i])

        temp_querystring = "AND %s"%temp_querystring.rstrip(" OR ")
        temp_filterstring = filterstring
        print "querystring: %s"%temp_querystring

        heizoodb.call(cursor=cursor,
                      scheme="public", 
                      function="get_members", 
                      functionArgs=(companyuuid, start, limit, sort, order, temp_querystring, temp_filterstring),
                      returnsValue=True)

And my latest error =D

com.gravityzoo.core.libs.sql.PostgreSQLDB.runSQLTransaction: not enough arguments for format string, result=[None]

SQLinjection to be added later ;)

Thanks!

1 answers

solution1
 0  2011-01-17 12:58:35

I don't know Python well, but it probably supports data binding where you first prepare a statement (and you don't need quotes around the question marks there): 

prepare("..... AND (u.firstname LIKE ?) OR (u.firstname LIKE ?)")

and then you call execute('koen', 'dirk') or whatever that function is called in Python.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Call plpgsql Function from a PL/Python Function in PostgreSQL python provide arguments to a function with single quotes Using python, How to replace single quotes to double quotes Replace escaped double quotes to single quotes in Python using regex Multiple Quotes from single API call yfinance Python Possible to call single-parameter Python function without using parentheses? Call a function with a single character in Python double and single quotes in python Python prints single quotes How to replace single quotes that appear when using split() function
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM