Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Passing param to DB .execute for WHERE IN... INT list

Tags:

python

postgresql

pg8000

With Python's DB API spec you can pass an argument of parameters to the execute() method. Part of my statement is a WHERE IN clause and I've been using a tuple to populate the IN. For example:

params = ((3, 2, 1), )
stmt = "SELECT * FROM table WHERE id IN %s"
db.execute(stmt, params)

But when I run into a situation where the parameter tuple is only a tuple of 1 item, the execute fails.

ProgrammingError: ERROR: syntax error at or near ")"
LINE 13: WHERE id IN (3,)

How can I get the tuple to work with clause properly?

like image 412
John Giotta Avatar asked Feb 12 '10 16:02

John Giotta

3 Answers

Edit: If you think this answer circumvents the built-in protections against SQL-injection attack you're mistaken; look more closely.

Testing with pg8000 (a DB-API 2.0 compatible Pure-Python interface to the PostgreSQL database engine):

This is the recommended way to pass multiple parameters to an "IN" clause.

params = [3,2,1]
stmt = 'SELECT * FROM table WHERE id IN (%s)' % ','.join('%s' for i in params)
cursor.execute(stmt, params)

Full example:

>>> from pg8000 import DBAPI
>>> conn = DBAPI.connect(user="a", database="d", host="localhost", password="p")
>>> c = conn.cursor()
>>> prms = [1,2,3]
>>> stmt = 'SELECT * FROM table WHERE id IN (%s)' % ','.join('%s' for i in prms)
>>> c.execute(stmt,prms)
>>> c.fetchall()
((1, u'myitem1'), (2, u'myitem2'), (3, u'myitem3'))
like image 164
mechanical_meat Avatar answered Sep 21 '22 20:09

mechanical_meat

The error is coming from the comma after the 3. Just leave it off for the single values and you're set.

params = ((3), ... )
stmt = "SELECT * FROM table WHERE id IN %s"
db.execute(stmt, params)
like image 26
Daniel Avatar answered Sep 20 '22 20:09

Daniel

This may not be an answer to exactly the question you asked, but I think it may solve the problem you have.

Python's DB-API doesn't seem to give you a way to pass tuples as safely substituted parameters. The accepted answer from bernie is using the Python % operator for substitution, which is unsafe.

However, you may not have to pass tuples as parameters, particularly when the tuple you want is the result of another SQL query (as you indicated to Daniel). Instead, you can use SQL subqueries.

If the set of IDs you want in your IN clause is the result of SELECT id FROM other_table WHERE use=true, for example:

stmt = "SELECT * FROM table WHERE id IN (SELECT id FROM other_table WHERE use=true)"
db.execute(stmt)

And this can be parameterized (the safe way), too. If the IDs you want to select are the ones with a given parent_id:

stmt = "SELECT * FROM table WHERE id IN (SELECT id FROM other_table WHERE parent_id=%s)"
params = (parent_id,)
db.execute(stmt, params)
like image 39
rspeer Avatar answered Sep 17 '22 20:09

rspeer
Sign in to Comment

Related questions

Timeout expired pgadmin Unable to connect to server
Django Form DateInput with widget in update: loosing the initial value
Keras not training on entire dataset
How to extract values from pandas Series without index
pandas dataframe multiline query
How does one use Pytorch (+ cuda) with an A100 GPU?
Where can I learn more about PyPy's translation function? [closed]
What's the Name of the Python Module that Formats arbitrary Text to nicely looking HTML?
Does anyone have experience with PyS60 mobile development
Full-text search on App Engine with Whoosh
Server Logging - in Database or Logfile?
How can I use Facebook Connect with Google App Engine without using Django?
Getting system status in python
how to get console output from a remote computer (ssh + python)
Are Python's bools passed by value?
How to use FFmpeg
diff for single lines
What is the Java Equivalent of Python's property()?
Strip whitespace in generated HTML using pure Python code
Is AMQP production ready?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!