1. 技术文章
  2. How to put variable in `pyodbc` query?

How to put variable in `pyodbc` query?

六月ゝ 毕业季﹏ 提交于 2020-05-18 04:25:15

问题


I am using pyodbc to save data in Microsoft SQL Server.

I 3 string variables, user_first_name, user_last_name and profile_photo_path

user_first_name = 'Shams'
user_last_name = 'Nahid'
file_name = 'my_profile_photo_path'

Now when I try to save data using

cursor.execute(f'''
                    INSERT INTO pyUser.dbo.user_information (first_name, last_name, profile_photo_path)
                    VALUES
                    ({user_first_name}, {user_last_name}, {file_name})

                    ''')

I get the following error

Invalid column name \'Shams\'.

Invalid column name \'Nahid\'.

The multi-part identifier "directory.PNG" could not be bound.

But instead of the variable, if I put the hardcoded string

cursor.execute('''
                    INSERT INTO pyUser.dbo.user_information (first_name, last_name, profile_photo_path)
                    VALUES
                    ('my_user_first_name', 'my_user_last_name', 'my_file_name')

                    ''')

Then the query shows no error.

I checked the variable type, user_first_name, user_last_name and file_name, all are <class 'str'>

How can I put the variable in the query?


回答1:


Using string formatting to insert column values into an SQL statement is a dangerous practice because it exposes your code to SQL Injection vulnerabilities. For example, the code in your answer will work for 

user_last_name = "Nahid"

but it will fail for 

user_last_name = "O'Connor"

SQL injection can also have serious security implications. Perform a web search for "Little Bobby Tables" to see an example of that.

Rather, you should use a parameterized query like so:

user_first_name = 'Shams'
user_last_name = 'Nahid'
file_name = 'my_profile_photo_path'

sql = '''\
INSERT INTO pyUser.dbo.user_information (first_name, last_name, profile_photo_path)
VALUES (?, ?, ?)
'''
params = (user_first_name, user_last_name, file_name, )
cursor.execute(sql, params)



回答2:


Solved by putting a quotation on both sides of the variable.

cursor.execute(f'''
                    INSERT INTO pyUser.dbo.user_information (first_name, last_name, profile_photo_path)
                    VALUES
                    ('{user_first_name}', '{user_last_name}', '{file_name}')

                    ''')



回答3:


or you can try this

cursor.execute('''
                    INSERT INTO pyUser.dbo.user_information (first_name, last_name, profile_photo_path)
                    VALUES
                    ("Shams", "Nahid", "my_profile_photo_path")

                    ''')



回答4:


I try again, it is work, for example

import pymysql

def test():
    db = pymysql.connect('localhost', 'root', '****', 'python')
    cur = db.cursor()
    id_ = "123456"
    query = ''.join(["select *", " from customer where id = ", id_])
    cur.execute(query)
    result = cur.fetchone()
    print("result: ", result)
if __name__ == '__main__':
    test()


来源:https://stackoverflow.com/questions/54166278/how-to-put-variable-in-pyodbc-query

标签
python
python-3.x
pyodbc
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!