Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Parameter substitution for a SQLite "IN" clause

Tags:

python

sqlite

I am trying to use parameter substitution with SQLite within Python for an IN clause. Here is a complete running example that demonstrates:

import sqlite3

c = sqlite3.connect(":memory:")
c.execute('CREATE TABLE distro (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT)')

for name in 'Ubuntu Fedora Puppy DSL SuSE'.split():
  c.execute('INSERT INTO distro (name) VALUES (?)', [ name ] )

desired_ids = ["1", "2", "5", "47"]
result_set = c.execute('SELECT * FROM distro WHERE id IN (%s)' % (", ".join(desired_ids)), ())
for result in result_set:
  print result

It prints out:

(1, u'Ubuntu') (2, u'Fedora') (5, u'SuSE')

As the docs state that "[y]ou shouldn’t assemble your query using Python’s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack," I am hoping to use parameter substitution.

When I try:

result_set = c.execute('SELECT * FROM distro WHERE id IN (?)', [ (", ".join(desired_ids)) ])

I get an empty result set, and when I try:

result_set = c.execute('SELECT * FROM distro WHERE id IN (?)', [ desired_ids ] )

I get:

InterfaceError: Error binding parameter 0 - probably unsupported type.

While I hope that any answer to this simplified problem will work, I would like to point out that the actual query I want to perform is in a doubly-nested subquery. To wit:

UPDATE dir_x_user SET user_revision = user_attempted_revision 
WHERE user_id IN 
    (SELECT user_id FROM 
        (SELECT user_id, MAX(revision) FROM users WHERE obfuscated_name IN 
            ("Argl883", "Manf496", "Mook657") GROUP BY user_id
        ) 
    )
like image 871
Clinton Blackmore Avatar asked Aug 21 '09 03:08

Clinton Blackmore

2 Answers

You do need the right number of ?s, but that doesn't pose a sql injection risk:

>>> result_set = c.execute('SELECT * FROM distro WHERE id IN (%s)' %
                           ','.join('?'*len(desired_ids)), desired_ids)
>>> print result_set.fetchall()
[(1, u'Ubuntu'), (2, u'Fedora'), (5, u'SuSE')]
like image 157
Alex Martelli Avatar answered Nov 19 '22 23:11

Alex Martelli

According to http://www.sqlite.org/limits.html (item 9), SQLite can't (by default) handle more than 999 parameters to a query, so the solutions here (generating the required list of placeholders) will fail if you have thousands of items that you're looking IN. If that's the case, you're going to need to break up the list then loop over the parts of it and join up the results yourself.

If you don't need thousands of items in your IN clause, then Alex's solution is the way to do it (and appears to be how Django does it).

like image 29
cibyr Avatar answered Nov 20 '22 00:11

cibyr
Sign in to Comment

Related questions

Numpy meshgrid in 3D
Search for a file using a wildcard
How to convert dataframe to dictionary in pandas WITHOUT index
Adding two pandas dataframes
Return in Recursive Function
In python selenium, how does one find the visibility of an element?
Python 3.4.0 with MySQL database
Python load json file with UTF-8 BOM header
Spell Checker for Python
Two's Complement Binary in Python?
Plotting a python dict in order of key values
List with duplicated values and suffix
What do all the distributions available in scipy.stats look like?
seaborn color_palette as matplotlib colormap
How to increase a counter in SQLAlchemy
What is the best way to create a string array in python?
python csv2libsvm.py: AttributeError: '_csv.reader' object has no attribute 'next'
How to swap two DataFrame columns?
How can I profile a SQLAlchemy powered application?
How to check python anaconda version installed on Windows 10 PC?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!