Best IT Recipes

Python String Formats with SQL and LIKE Wildcards

It is hard for me to load some sql in python in order to navigate correctly through MySQLdb. This is the pythons string formatting that kills me.

My sql statement uses the LIKE keyword with wildcards. I tried several different things in Python. The problem is that one day I will get one of them, there is a line of code in MySQLdb that comes off in a string format.

Attempt 1:

"SELECT tag.userId, count (user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '%% s%'"% (query)

This is not an option. I get a value error:

ValueError: unsupported character '' '' (0x27) with index 128

Attempt 2:

"SELECT tag.userId, count (user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '\ %% s \%'"% (Request)

I get the same result from attempt 1.

Attempt 3:

like = "LIKE '%" + str (query) + "%'" totalq = "SELECT tag.userId, count (user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username "+ like

This correctly creates the totalq variable, but now when I go to run the query, I get errors from MySQLdb:

File "build / bdist.macosx-10.6-universal / egg / MySQLdb / cursors.py", line 158, in execute query = query% db.literal (args) TypeError: not enough arguments for format string

Attempt 4:

like = "LIKE '\%" + str (query) + "\%'" totalq = "SELECT tag.userId, count (user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user .username "+ like

This is the same result as attempt 3.

It all seems really strange. How can I use wildcards in sql operations with python?

+21
python sql format sql-like like
Jun 28 '10 at 17:33
source share
5 answers

It's not about string formatting, but the problem is how queries should be executed in accordance with the requirements for db operations in Python ( PEP 249 )

try something like this:

sql = "SELECT column FROM table WHERE col1=%s AND col2=%s" params = (col1_value, col2_value) cursor.execute(sql, params)

here are some examples for psycog2 where you have some explanations that should also be valid for mysql (mysqldb also follows the PEP249 dba api guide 2.0: here are examples for mysqldb )

+11
Jun 28 '10 at 17:53
source share

All of these queries seem vulnerable to SQL injection attacks.

Try something like this:

 curs.execute("""SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE %s""", ('%' + query + '%',))

If two arguments are passed to execute() .

+24
Jun 28 2018-10-18T00:
source share

To avoid ampersands in Python string formatting expressions, double the ampersand:

 '%%%s%%' % search_string

Edit: But I definitely agree with another answer. Direct string replacement in SQL queries is almost always a bad idea.

+9
Jun 28 '10 at 17:41
source share

We could try to avoid the percentage symbol by doubling them as follows:

 query_to_get_user_name = """ SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '%%%s%%' """ % (user_name,) cursor.execute(query_to_get_user_name)
0
Mar 28 '19 at 5:47
source share

I have a solution to your problem:

You cannot use:

 "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '%%s%'" % (query)

you can change it using a string template, for example:

 import MySQLdb import string # string module ....... value = {'user':'your value'} sql_template = string.Template(""" SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '%$user%' """) sql = sql_template.substitute(value) try: cursor.execute(sql) ........... except: ........... finally : db.close()
-one
Dec 25 '14 at 12:50
source share


More articles:


All Articles