Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to quote a string value explicitly (Python DB API/Psycopg2)

Tags:

python

sql

django

psycopg2

For some reasons, I would like to do an explicit quoting of a string value (becoming a part of constructed SQL query) instead of waiting for implicit quotation performed by cursor.execute method on contents of its second parameter.

By "implicit quotation" I mean:

value = "Unsafe string" query = "SELECT * FROM some_table WHERE some_char_field = %s;" cursor.execute( query, (value,) ) # value will be correctly quoted

I would prefer something like that:

value = "Unsafe string" query = "SELECT * FROM some_table WHERE some_char_field = %s;" % \     READY_TO_USE_QUOTING_FUNCTION(value) cursor.execute( query ) # value will be correctly quoted, too

Is such low level READY_TO_USE_QUOTING_FUNCTION expected by Python DB API specification (I couldn't find such functionality in PEP 249 document). If not, maybe Psycopg2 provides such function? If not, maybe Django provides such function? I would prefer not to write such function myself...

like image 229
Dariusz Walczak Avatar asked Nov 21 '08 19:11

Dariusz Walczak

2 Answers

Ok, so I was curious and went and looked at the source of psycopg2. Turns out I didn't have to go further than the examples folder :)

And yes, this is psycopg2-specific. Basically, if you just want to quote a string you'd do this:

from psycopg2.extensions import adapt  print adapt("Hello World'; DROP DATABASE World;")

But what you probably want to do is to write and register your own adapter;

In the examples folder of psycopg2 you find the file 'myfirstrecipe.py' there is an example of how to cast and quote a specific type in a special way.

If you have objects for the stuff you want to do, you can just create an adapter that conforms to the 'IPsycopgSQLQuote' protocol (see pydocs for the myfirstrecipe.py-example...actually that's the only reference I can find to that name) that quotes your object and then registering it like so:

from psycopg2.extensions import register_adapter  register_adapter(mytype, myadapter)

Also, the other examples are interesting; esp. 'dialtone.py' and 'simple.py'.

like image 113
Henrik Gustafsson Avatar answered Sep 22 '22 22:09

Henrik Gustafsson

I guess you're looking for the mogrify function.

Example:

>>> cur.mogrify("INSERT INTO test (num, data) VALUES (%s, %s)", (42, 'bar')) "INSERT INTO test (num, data) VALUES (42, E'bar')"
like image 33
Beli Avatar answered Sep 20 '22 22:09

Beli
Sign in to Comment

Related questions

R's which() and which.min() Equivalent in Python
Python: Why is comparison between lists and tuples not supported?
Get formula from Excel cell with python xlrd
How to do weighted random sample of categories in python
Can I get the local variables of a Python function from which an exception was thrown?
Truncating a string in python
Using Argparse and Json together
Can't use /= on numpy array
Pyspark: explode json in column to multiple columns
Is it possible to get the path of a tempfile in Python 3
Python C extension: Use extension PYD or DLL?
python time offset
UnicodeEncodeError: 'ascii' codec can't encode character u'\u2026'
Matplotlib histogram with collection bin for high values
How to import all the environment variables in tox
Bokeh: save plot (as HTML) but don't show it
pip install requests[security] vs pip install requests: Difference
What are the pitfalls of using Dill to serialise scikit-learn/statsmodels models?
How do I use os.scandir() to return DirEntry objects recursively on a directory tree?
Click Command Line Interfaces: Make options required if other optional option is unset

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!