I am trying to assemble the following SQL statement using python's db-api:
SELECT x FROM myTable WHERE x LIKE 'BEGINNING_OF_STRING%';
where BEGINNING_OF_STRING should be a python var to be safely filled in through the DB-API. I tried
beginningOfString = 'abc'
cursor.execute('SELECT x FROM myTable WHERE x LIKE '%s%', beginningOfString)
cursor.execute('SELECT x FROM myTable WHERE x LIKE '%s%%', beginningOfString)
I am out of ideas; what is the correct way to do this?
It's best to separate the parameters from the sql if you can. Then you can let the db module take care of proper quoting of the parameters.
sql='SELECT x FROM myTable WHERE x LIKE %s'
args=[beginningOfString+'%']
cursor.execute(sql,args)
EDIT:
As Brian and Thomas noted, the far better way to do this would be to use:
beginningOfString += '%'
cursor.execute("SELECT x FROM myTable WHERE x LIKE ?", (beginningOfString,) )
since the first method leaves you open to SQL injection attacks.
Left in for history:
Try:
cursor.execute("SELECT x FROM myTable WHERE x LIKE '%s%%'" % beginningOfString)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With