I need to generate a list of insert statements (for postgresql) from html files, is there a library available for python to help me properly escape and quote the names/values? in PHP i use PDO to do the escaping and quoting, is there any equivalent library for python?
Edit: I need to generate a file with sql statements for execution later
A simple way is to execute the query and use fetchall(). This has been already discussed in SET 1. This is a convenience method for executing multiple SQL statements at once. It executes the SQL script it gets as a parameter.
Assigning SQL Query to a Python VariableDynamic values can be substituted directly to {0} and {1} by their names, such as {column_name} and {value_holder}.
I know this is an old question, but I've often wanted what it seems the OP wants: A VERY simple library for generating basic SQL.
The below functions do just that. You give them a table name and a dictionary containing the data you want to use and they return the SQL query for the operation you need.
The key/value pairs represent field names and values in the database rows.
def read(table, **kwargs):
""" Generates SQL for a SELECT statement matching the kwargs passed. """
sql = list()
sql.append("SELECT * FROM %s " % table)
if kwargs:
sql.append("WHERE " + " AND ".join("%s = '%s'" % (k, v) for k, v in kwargs.iteritems()))
sql.append(";")
return "".join(sql)
def upsert(table, **kwargs):
""" update/insert rows into objects table (update if the row already exists)
given the key-value pairs in kwargs """
keys = ["%s" % k for k in kwargs]
values = ["'%s'" % v for v in kwargs.values()]
sql = list()
sql.append("INSERT INTO %s (" % table)
sql.append(", ".join(keys))
sql.append(") VALUES (")
sql.append(", ".join(values))
sql.append(") ON DUPLICATE KEY UPDATE ")
sql.append(", ".join("%s = '%s'" % (k, v) for k, v in kwargs.iteritems()))
sql.append(";")
return "".join(sql)
def delete(table, **kwargs):
""" deletes rows from table where **kwargs match """
sql = list()
sql.append("DELETE FROM %s " % table)
sql.append("WHERE " + " AND ".join("%s = '%s'" % (k, v) for k, v in kwargs.iteritems()))
sql.append(";")
return "".join(sql)
You use it like so. Just give it a table name and a dictionary (or use the **kwargs feature of python):
>>> upsert("tbl", LogID=500, LoggedValue=5)
"INSERT INTO tbl (LogID, LoggedValue) VALUES ('500', '5') ON DUPLICATE KEY UPDATE LogID = '500', LoggedValue = '5';"
>>> read("tbl", **{"username": "morten"})
"SELECT * FROM tbl WHERE username = 'morten';"
>>> read("tbl", **{"user_type": 1, "user_group": "admin"})
"SELECT * FROM tbl WHERE user_type = '1' AND user_group = 'admin';"
But BEWARE OF SQL INJECTION ATTACKS
Look what happens when a malicious user of your code does this:
>>> read("tbl", **{"user_group": "admin'; DROP TABLE tbl; --"})
"SELECT * FROM tbl WHERE user_group = 'admin'; DROP TABLE tbl; --';"
It's easy to make your own makeshift ORM but you only get what you see -- you have to escape the input yourself :)
SQLAlchemy provides a robust expression language for generating SQL from Python.
Like every other well-designed abstraction layer, however, the queries it generates insert data through bind variables rather than through attempting to mix the query language and the data being inserted into a single string. This approach avoids massive security vulnerabilities and is otherwise The Right Thing.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With