從數據幀創建逗號分隔列表以傳遞到 SQL 查詢時出錯

Question

我正在嘗試創建一個逗號分隔的列表來傳遞 SQL 查詢。

我的代碼

sql1 = '''select carrier_name, carrier_account, invoice_number, invoice_amount, currency, invoice_date
from invoice_summary where invoice_number in {}'''.format(tuple(data1['invoice_number'].values.tolist()))

當前Output

    "select carrier_name, carrier_account, invoice_number,
 invoice_amount, currency, invoice_date\nfrom invoice_summary where invoice_number in ('BHX3327983',)"

預計 Output "

select carrier_name, carrier_account, invoice_number,
     invoice_amount, currency, invoice_date\nfrom invoice_summary where invoice_number in ('BHX3327983')"

我正在尋找一種在有單個輸入或要傳遞多個輸入時有效的解決方案。

我的代碼有什么問題。

Answer 1

嘗試使用join並將括號放在字符串中：

sql1 = '''select carrier_name, carrier_account, invoice_number, invoice_amount, currency, invoice_date
from invoice_summary where invoice_number in ({})'''.format(','.join(["'{}'".format(x) for x in data1['invoice_number']]))

---

更新

您可以使用DataFrame.empty屬性有條件地設置 sql 語句的值。 如果data1為空，則將WHERE子句設置為 False，例如1 = 0 ：

if data1.empty:
    sql1 = '''select carrier_name, carrier_account, invoice_number, invoice_amount, currency, invoice_date
              from invoice_summary where 1 = 0'''
else:
    sql1 = ('''select carrier_name, carrier_account, invoice_number, invoice_amount, currency, invoice_date
              from invoice_summary where invoice_number in ({})'''
            .format(','.join(["'{}'".format(x) for x in data1['invoice_number']])))

Answer 2

為避免 SQL 注入，您可以使用以下命令：

invoice_nums_list = data1['invoice_number'].values.tolist()

sql1 = '''select carrier_name, carrier_account, invoice_number, invoice_amount, currency, invoice_date from invoice_summary where invoice_number in ''' + 
       '(' + ','.join('%s' for i in range(len(invoice_nums_list))) + ')'

print(sql1)

cursor.execute(sql1, params=tuple(invoice_nums_list))