问题
I have a SQL query, mad in Python using Psycopg2. The query reads some columns from the arches table:
rows = archesDB.read_all("""SELECT "+str(columns)[1:-1].replace("'","")+"
FROM arches
WHERE lower(arch) like '%%%s%%'""" % (arch.lower()))
I want to parametrize this query, so that it will not specify the columns needed using string concatenation, but as parameters - a far more elegant way.
The naïve way is to SELECT *, and filter out the columns I need. But this burdens the DB and network with unneeded data, so I rather avoid it.
Any ideas?
Adam
回答1:
Column names cannot be passed in the SQL string as parameters within the DB API. And it would not make sense to it as well.
If you need to check the column name input, sanitize it beforehand.
The like string should go in as a parameter though
The following code sample would be an improvement if columns variable contains a list of strings for the column names:
rows = archesDB.read_all("""SELECT %s
FROM arches
WHERE lower(arch) like %%s""" % (",".join(columns),),
("%%%s%%" % (arch.lower(),),))
First, the column names are inserted within first substitution (%s) and the last %%s is converted to %s. Then the ("%%%s%%" % (arch.lower(),),) makes a string with %string_content%. And at last, db api escapes the %string_content% and adds quotes to it that finally makes the query.
回答2:
You cannot parametrize metadata. Create a mapping of some identifier to the desired field list, and use that.
来源:https://stackoverflow.com/questions/4397150/python-sql-set-the-columns-read-as-parameter