I was looking at this similar question: Parameterize an SQL IN clause
But the solution is not using Python, so I had to raise a new question:
How do I parameterize a query containing an IN clause, the strings 'ruby','rails','scruffy','rubyonrails' comes from a column of a dataframe
SELECT * FROM Tags
WHERE Name IN ('ruby','rails','scruffy','rubyonrails')
ORDER BY Count DESC
The dataframe df might look like:
column1 column2...
ruby .
rails .
scruffy .
xxx
xxxx
Here's what I've tried:
I converted the first column to a list and name it list, then update the second line in the query:
WHERE Name IN %(list)s
But this gave me an error: sqlalchemy.exc.ProgrammingError: (MySQLdb._exceptions.ProgrammingError) (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where Name IN (('ruby','rails','xxx','xxxx','xxx','' at line 2")
I also tried list = str(list)[1:-1] to remove the square bracket, but then I got error: MySQLdb._exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where Name IN ('\\'ruby\\', \\'rails\\', \\'xxxxx\\', \\'xxx\\',' at line 2")
My question is what format/datatype I should use for df[column1] to get this working? Can someone help please? Thanks.
The only answer here doesn't work, since I've resolved this, so here's the solution: turns out I only need to convert it to a list (with the square bracket), no need to remove the bracket otherwise it won't work!
Maybe you can convert the column list to a tuple:
col_tuple = tuple(list)
Then use a python f-string in your query:
f"""SELECT * FROM Tags
WHERE Name IN {col_tuple}
ORDER BY Count DESC"""
Related
I tried to write a query with Like command to search for special Name , but i need to get the value from User and i need to read the value but my sql code has problem with "LIKE" section , how can i fix it ?
sql = '''SELECT Name FROM newtest WHERE Name LIKE = %s'''
val = (n)
myobj = mycurs.execute(sql , val)
what's the problem ?
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '= %s' at line 1
this is the error
Remove the "=" sign. The LIKE command doesn't use that - see https://www.w3schools.com/sql/sql_ref_like.asp for an example.
If you need to search for non-exact matches (i.e. the name is anywhere inside the column) you can change the query as:
SELECT Name FROM newtest WHERE Name LIKE concat('%', %s, '%')
I am trying to insert values into a row of mysql database in a way that not be vulnerable to injection, but gives my syntax error. This is a piece of my code which causes the error:
cursor.execute("INSERT INTO api.mytable(id) VALUES (:id);", {"id": 1})
and error:
ERROR in connection: (1064, "You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near ':id)' at line 1")
code you please tell me what's the wrong with my code?
I am assuming id is given as some kind if input! Hence you can always check for the required format and allow only required ones! This is to avoid SQL injection!. Hence the natural formatting as shown below should do the job! And this is very basic level checking!
id_in = input("Here is the id taken " ) ## can be through any source . It is just an example
if isinstance(id_in,int): ##Please mention the required format here I am assuming it as integer
cursor.execute("INSERT INTO api.mytable(id) VALUES (%s);", (id_in))
else:
##do some stuff here
There are several questions on You have an error in your SQL syntax - but they all seem to address a specific syntax error in the query, which is generally not helpful to others.
My question is how can I get the formatted query from a MySQL command in Python so that I can actually inspect it?
So I have a statement like:
cursor.execute("INSERT INTO products(acc, title, sku, price, price_checked, desc, imgs) VALUES (%s,%s,%s,%s,%s,%s,%s)", (1, prod.title, prod.sku, prod.price, datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"), prod.desc, prod.imgs))
And the error is:
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use n
ear 'desc, imgs) VALUES (1,'Holy Stone HS700 FPV Drone with 1080p HD Camera Live Vide' at line 1")
Any idea how I can get the executed query? I don't want to format the query myself then print it before executing, but rather use MySQL's built in formatting for security reasons, mainly.
DESC is a keyword in SQL for sorting in descending order. You can't call one of your parameters "desc" because it will be interpreted as such. Think about if you called one of your columns "Select"; it's the same issue. You need to rename that field.
Initially I was focused on prod.desc but in your query string, you have 'desc' listed as an actual column name: "... products(acc, title, sku, price, price_checked, desc, imgs)"
You can see the last query run using the advice here but I can't test as I don't have any MySQL instance.
I'm trying to compose a string SQL query using SQLALchemy 1.1.2. I followed the explanation from the docs about using textual SQL but encountered a syntax error when I ran the following code:
from sqlalchemy.sql import text
# Create a database connection called "connection"...
q = text('USE :name')
connection.execute(q, name='DATABASE_NAME')
Here's the error message:
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''DATABASE_NAME'' at line 1") [SQL: u'USE %s;'] [parameters:
(u'DATABASE_NAME',)]
Since I'm using the named colon format and passing the parameters as arguments to connection.execute I can't figure out why this problem is arising. I'm using a MySQL server, but if I read the docs correctly the text method should be DB-agnostic.
Thanks in advance for the help.
According to the documentation you need to use the bindparams like so:
q = text('USE :name')
q.bindparams(name="DATABASE_NAME")
connection.execute(q)
or like this:
q = text('USE :name')
q = q.bindparams(bindparam("name", String))
connection.execute(q, {"name": "DATABASE_NAME"})
This worked for me with no issues. Edit: I was wrong, it didn't work.
The problem is the bind params is going to auto wrap your value with a single quote. So what's happening is you get the final compiles statement (which is invalid syntax):
use 'DATABASE_NAME'
If you were to create the query: "Select * from mytable where column_a=:name"; this will work. Because it's wrapping the value with single quotes.
I would suggest for your use statement to do:
q = "USE {}".format("DATABASE_NAME")
Or something similar.
I am attempting to write a SQL in python using PYMYSQL, which searches a table for a certain record with a set value, however while this sounds simple I cannot seem to do it below is my query:
SELECT Series_ID FROM series_information WHERE Series_Name "'+data +'"'
where the data is the value that I am searching for however the following error occurs:
pymysql.err.ProgrammingError: (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'"Spice And Wolf"\' at line 1')
The problem I believe is that I am not sure how to properly escape the data value if it has spaces in it and therefore would require quotation marks in the SQL query.
You're missing a comparison (like, =, etc) between Series_Name and data, as well as a ';' on the end of the query.
`'SELECT Series_ID FROM series_information WHERE Series_Name = "'+data +'";'
`SELECT Series_ID FROM series_information WHERE Series_Name "'+data +'"'`
Is not a valid SQL query did you mean:
`'SELECT Series_ID FROM series_information WHERE Series_Name like "'+data +'"'`