I have the following query for inserting values into sqlite3 db, which is made in python code;
insert into 'SplCharTest' ('Id','name','address','telefon') values (1.0, u'cust01', u'addr01 strasse 48908', 2131234213.0)
I am getting the following error when I try to execute this query;
sqlite3CursorObj.execute(dataInsertQueryForSheet)
sqlite3.OperationalError: near "'cust01'": syntax error
I noticed that the presence of u (unicode) in front of 'cust01' is making the problem. Could anybody please tell me how to insert unicode value into sqlite db. Simple usage of 'str' is not possible as I am getting the unicode values from an excel file using openpyxl package and there could be special characters.
Below given is my python code
dataInsertQueryForSheet = "insert into '"+tableNameForSheet+"' ("+columnNamesCSV+") values (%s)" % unicode(rowDataList)[1:(rowDataStrLen-1)]
sqlite3CursorObj.execute(dataInsertQueryForSheet)
Here variable tableNameForSheet contains the table name, columnNamesCSV contains all the columns names in CSV format and rowDataList contains all values to be inserted as an array list.
Any help will be very much appreciated. Thanks in advance.
SQLite always uses Unicode.
The easiest way to use strings while avoiding formatting problems or SQL injection attacks is to use parameters:
sql = "insert into "+tableNameForSheet+" ("+columnNamesCSV+") values (?,?,?,?)"
parameters = [1, u'cust01', u'addr01 strasse 48908', "2131234213"]
cursor.execute(sql, parameters)
Related
I have a JSONB object that I want to insert into my database that also contains single quote characters. The example below is just trimmed to highlight my issue:
[{"name": "Moody's Analytics BBB Corp Bd ETF"}]
I have tried just dumping that JSON object to a string and inserting it, but the single ' wont allow that to work and when I try to execute (where detail is the JSON object):
cur.execute("INSERT INTO schmea.table (id, detail) VALUES (?,?)", (sec_id, detail)
I get the following syntax error:
psycopg2.errors.SyntaxError: syntax error at or near ","
LINE 1: INSERT INTO schema.table (id, detail) VALUES (?,?)
^
All of the solutions I've found so far suggest turning the JSON object into a string using json.dumps() but that wont work in my situation because of the single ' character in the name.
Any help is appreciated here.
Edit: Was told that the proper bind is %s not ? but that changes the error to:
psycopg2.ProgrammingError: can't adapt type 'dict'
edit 2:
SOLUTION:
Using the correct %s binds and using json.dumps(detail) fixed the issue.
cur.execute("INSERT INTO schmea.table (id, detail) VALUES (%s,%s)", (sec_id, json.dumps(detail))
Thanks for your help!
The way to pass bind variables to psycopg2 is with %s, not ?.
Using Python and psycopg2 I am trying to build a dynamic SQL query to insert rows into tables.
The variables are:
1. Table name
2. Variable list of column names
3. Variable list of values, ideally entering multiple rows in one statement
The problems I have come across are the treatment of string literals from Python to SQL and psycopg2 trying to avoid you exposing your code to SQL injection attacks.
Using the SQL module from psycopg2, I have resolved dynamically adding the Table name and List of columns. However I am really struggling with adding the VALUES. Firstly the values are put into the query as %(val)s and seem to be passed literally like this to the database, causing an error.
Secondly, I would then like to be able to add multiple rows at once.
Code below. All help much appreciated :)
import psycopg2 as pg2
from psycopg2 import sql
conn = pg2.connect(database='my_dbo',user='***',password='***')
cols = ['Col1','Col2','Col3']
vals = ['val1','val2','val3']
#Build query
q2 = sql.SQL("insert into my_table ({}) values ({})") \
.format(sql.SQL(',').join(map(sql.Identifier, cols)), \
sql.SQL(',').join(map(sql.Placeholder,vals)))
When I print this string as print(q2.as_string(conn)) I get:
insert into my_table ("Col1","Col2","Col3") values %(val1)s,%(val2)s,%(val3)s
And then when i try and a execute such a string I get the following error:
ProgrammingError: syntax error at or near "%"
LINE 1: ... ("Col1","Col2","Col3") values (%(val1)s...
^
Ok I solved this. Firstly use Literal rather than Placeholder, secondly put your row values together as tuples within a tuple, loop through adding each tuple to a list as literals and then drop in at the end when building the query.
So I was writing a sql query to get data from the database using python pymysql library. The user will enter a year as a text field in HTML form and display the data associated with this year. I'm using this code and I'm keep getting error for it.
sql = "SELECT 'Name' From 'winners' WHERE 'Year'=%d"
c.execute(sql, (textfield,))
Can someone show me how to fix this please ? Thank you
There are two issues:
You are using incorrect syntax. ' single quotes are used to define string values, not to quote table and column names. You probably meant to use backticks, `. See When to use single quotes, double quotes, and backticks?
You are passing in a string where your query parameter states you wanted to receive an integer. SQL parameters only support %s format placeholders, however.
Corrected code would look like this:
sql = "SELECT `Name` From `winners` WHERE `Year`=%s"
c.execute(sql, (int(textfield),))
Note the int() call; you want to select on integers, not strings, if your column type is NUMBER or similar.
I need to write in a txt file, sql statements with all the values escaped so I can later import it to the mysql database.
Some background info:
I recently created a program in python which reads a csv file and inserts the data to a remote mysql database.
The program except the insert statements, also performs several select statements in order to collect some information such as primary keys, max ids etc.
What I need to do in general:
Since the whole procedure is time consuming I was hoping there is a way to write all the statements in an .sql file so then I could import it to the mysql database via PhpMyAdmin.
What I tried and where I stuck:
So far I can generate sql statements by concatenating text.
But I am stuck to the point where I need to escape characters.
In SQL Server I can include any text between N'' and it will accept it as it is.. Is there anything similar in MySQL?
Example in SQL server: N'My escaped text isn't affected by single quote ->' or double quote " '
Notice I have surrounded the text with N''.
Thanks in advance!
You're going to want to learn how to use prepared statements. They solve several problems for you, including escaping characters and preventing SQL injection. Here's an example with MySQLdb:
myValues = (value1, value2)
sql = "INSERT INTO myTable (column1, column2) VALUES (%s, %s)"
cursor.execute(sql, myValues)
===
I'm sorry, I think I misunderstood your question. You don't want to write a Python script that reads a file and inserts data from it into the database. You want to use Python to generate an SQL document that you can import into your database directly.
I recommend using Python to query the database, but if you really want to make an SQL document, all your data values need to be enclosed in single quotes, and if you have single quotes in your data, escape them using double single quotes:
INSERT INTO myTable (column1, column2) VALUES ('My data', 'John''s data');
Other special characters such as semicolon (;) will be ignored if they're inside the single quotes.
If you're worried about special characters in the table and column names, you can add backticks to them:
INSERT INTO `myTable` (`column1`, `column2`) VALUES ('My data', 'John''s data');
Im using python to access a MySQL database and im getting a unknown column in field due to quotes not being around the variable.
code below:
cur = x.cnx.cursor()
cur.execute('insert into tempPDBcode (PDBcode) values (%s);' % (s))
rows = cur.fetchall()
How do i manually insert double or single quotes around the value of s?
I've trying using str() and manually concatenating quotes around s but it still doesn't work.
The sql statement works fine iv double and triple check my sql query.
You shouldn't use Python's string functions to build the SQL statement. You run the risk of leaving an SQL injection vulnerability. You should do this instead:
cur.execute('insert into tempPDBcode (PDBcode) values (%s);', s)
Note the comma.
Python will do this for you automatically, if you use the database API:
cur = x.cnx.cursor()
cur.execute('insert into tempPDBcode (PDBcode) values (%s)',s)
Using the DB API means that python will figure out whether to use quotes or not, and also means that you don't have to worry about SQL-injection attacks, in case your s variable happens to contain, say,
value'); drop database; '
If this were purely a string-handling question, the answer would be tojust put them in the string:
cur.execute('insert into tempPDBcode (PDBcode) values ("%s");' % (s))
That's the classic use case for why Python supports both kinds of quotes.
However as other answers & comments have pointed out, there are SQL-specific concerns that are relevant in this case.