[英]python passing variables into sql query
我有以下变量-
sql_query = """
select jr.jobrun_id 'Job ID',
jm.jobmst_prntname + '\\' + jm.jobmst_name 'Job Name',
cast(jr.jobrun_proddt as date) 'Production Date' from jobrun jr
inner join joboutput jo on jo.jobrun_id = jr.jobrun_id
inner join jobmst jm on jm.jobmst_id = jr.jobmst_id
where jr.jobrun_proddt BETWEEN ? and ? and jo.jobrun_output like '%not available%' and jr.jobrun_status='107'
and jr.jobrun_dirty != 'X'
order by jr.jobrun_proddt desc
"""
我正在通过以下定义运行-
def query_db(query, args=(), one=False):
cur = db().cursor()
cur.execute(query, args)
r = [dict((cur.description[i][0], value) \
for i, value in enumerate(row)) for row in cur.fetchall()]
cur.connection.close()
return (r[0] if r else None) if one else r
通过运行以下命令-
my_query = query_db(sql_query, (date1, date2))
问题是我的参数没有传递到查询中。 我究竟做错了什么?
记录两个变量是这样的-
date1 = '2014-12-15'
date2 = '2014'12-17'
我跑了以下-
print ("""
select jr.jobrun_id 'Job ID',
jm.jobmst_prntname + '\\' + jm.jobmst_name 'Job Name',
cast(jr.jobrun_proddt as date) 'Production Date' from jobrun jr
inner join joboutput jo on jo.jobrun_id = jr.jobrun_id
inner join jobmst jm on jm.jobmst_id = jr.jobmst_id
where cast(jr.jobrun_proddt as date) BETWEEN ? and ? and (jo.jobrun_output LIKE '%does not exist%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%duplicate%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%password missing%' and jr.jobrun_status='66')
and jr.jobrun_dirty != 'X'
order by jr.jobrun_proddt desc
""", (date1, date2))
确认一下,它不是将日期放在?的位置。
编辑-我知道它不起作用,因为我得到的结果包括我为BETWEEN指定的两个值之外的日期。 这就是我要查询显示的内容-
select jr.jobrun_id 'Job ID',
jm.jobmst_prntname + '\\' + jm.jobmst_name 'Job Name',
cast(jr.jobrun_proddt as date) 'Production Date' from jobrun jr
inner join joboutput jo on jo.jobrun_id = jr.jobrun_id
inner join jobmst jm on jm.jobmst_id = jr.jobmst_id
where cast(jr.jobrun_proddt as date) BETWEEN '2014-12-15' and '2014-12-17' and (jo.jobrun_output LIKE '%does not exist%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%duplicate%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%password missing%' and jr.jobrun_status='66')
and jr.jobrun_dirty != 'X'
order by jr.jobrun_proddt desc
尝试
print ("""
select jr.jobrun_id 'Job ID',
jm.jobmst_prntname + '\\' + jm.jobmst_name 'Job Name',
cast(jr.jobrun_proddt as date) 'Production Date' from jobrun jr
inner join joboutput jo on jo.jobrun_id = jr.jobrun_id
inner join jobmst jm on jm.jobmst_id = jr.jobmst_id
where cast(jr.jobrun_proddt as date) BETWEEN '%s' and '%s' and (jo.jobrun_output LIKE '%%does not exist%%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%%duplicate%%' and jr.jobrun_status='66') or
(jo.jobrun_output LIKE '%%password missing%%' and jr.jobrun_status='66')
and jr.jobrun_dirty != 'X'
order by jr.jobrun_proddt desc
""" % (date1, date2))
我换成用填充变量%s
和逃脱%
您使用带有%
,成为%%
。
同样,这种代码使您的应用程序容易受到sql注入的攻击。 您应该考虑使用SQLAlchemy
的库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.