Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using "like" in a cursor/query with a parameter in python (django)

Tags:

python

sql

sql-like

django

database-cursor

I know this may be something stupid but I decided to ask any way.

I've been trying to query something like:

 cursor.execute("select col1, col2   \
                    from my_tablem \
                    where afield like '%%s%'
                    and secondfield = %s
                    order by 1 desc " % (var1, var2) )

But I get an error in the like sentence. It doesn't like the extra % which I need to get all the results that contains the first %s value.

Ideas?

TIA!

like image 784
Juan129 Avatar asked Mar 13 '09 18:03

Juan129

People also ask

What is %s in Python SQL?

We need to supply values in placeholders ( %s ) before executing a query. Pass Python variables at the placeholder's position when we execute a query. We need to pass the following two arguments to a cursor. execute() function to run a parameterized query.

How do you use variables in Python query?

In order to do reference of a variable in query, you need to use @ . Instead of filter value we are referring the column which we want to use for subetting or filtering. {0} takes a value of variable myvar1.

How do you bind variables to SQL query in sqlite3 in Python?

Call sqlite3. Cursor. execute(query, parameters) on the previous result with an SQL query named query and with ? characters as wildcards for variable values and parameters as a tuple containing the variables to be used in query to execute a parameterized SQL query in sqlite3 .

2 Answers

First, why aren't you using the Django ORM for this?

MyClass.objects.filter( aField__contains=var1, secondField__exact=var2 )

Second, be sure you're getting the SQL you expect.

stmt= "select... afield like '%%%s%%' and secondfield = '%s'..." % ( var1, var2 )
print stmt
cursor.execute( stmt )

Third, your method has a security hole called a SQL Injection Attack. You really should not be doing SQL like this.

If you absolutely must do things outside Django's ORM, you have to use bind variables in your query, not string substitution. See http://docs.djangoproject.com/en/dev/topics/db/sql/#performing-raw-sql-queries.

like image 128
S.Lott Avatar answered Sep 22 '22 01:09

S.Lott

can hack string '%' into search string?

var1 = '%' + var1 + '%'

then query normally:

cursor.execute("select col1, col2 
                    from my_tablem                     where afield like %s
                    and secondfield = %s
                    order by 1 desc " , [var1, var2] )
like image 38
brobas Avatar answered Sep 20 '22 01:09

brobas
Sign in to Comment

Related questions

asyncio: collecting results from an async function in an executor
Most efficient way to use a large data set for PyTorch?
TypeError: Required argument 'mat' (pos 2) not found
Converting pandas column of comma-separated strings into integers
Bulk Generate Pre-Signed URLs boto3
Pandas, merging two dataframes on multiple columns, and multiplying result
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 49: character maps to <undefined>
Flask-SQLAlchemy: Neither SQLALCHEMY_DATABASE_URI nor SQLALCHEMY_BINDS is set. Defaulting SQLALCHEMY_DATABASE_URI to "sqlite:///:memory:"
What does for x, *y in list mean in python
Pandas Dataframe Error 'StringArray requires a sequence of strings or pandas.NA'
Cast and type env variables using file
Sums of variable size chunks of a list where sizes are given by other list
SplashRequest gives - TypeError: attrs() got an unexpected keyword argument 'eq'
Change pytest working directory to test case directory
Plotly: How to define colors in a figure using plotly.graph_objects and plotly.express?
TypeError: Singleton array array(True) cannot be considered a valid collection
Plotly: How to combine scatter and line plots using Plotly Express?
ValueError: invalid literal for int() with base 10: '30.0' when running unittest
Python pandas equivalent to R's group_by, mutate, and ifelse
I'm using Python regexes in a criminally inefficient manner

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!