I am using python with a MySQL server.
When I execute the line
mycursor.execute("""INSERT INTO characters VALUES(1,"Bob","Sagen",7,4,4,"Will","Bob's Abs Capacity","Left Hook","Forhead""""")
It results in an SQL syntax error, despite being correct when I use it in the MySQL workbench. The data items are meant to be hard coded.
Consider parameterizing your query that divorces a prepared SQL statement from data and avoid any handling of messy quotes or concatenation:
sql = "INSERT INTO characters VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s)"
data = [1,"Bob","Sagen",7,4,4,"Will","Bob's Abs Capacity","Left Hook","Forhead"]
mycursor.execute(sql, data)
Related
I am trying to commit data retrived from tkinter widgets into a SQL table (which has already been created and has the column names of leaderID, firstname,secondname,age,address,postcode,telephone,email). I keep receiving the error despite remaking the table, rewriting the SQL, resetting the database server etc. This code is contained within a function which is activated by a tkinter button. All of the inputted data is retrieved from each tkinter widget using the .get() syntax.
LeaderID=random.randint(1,10000)
print(LeaderID)
sqlcommand="INSERT INTO leaderinfo (leaderID, firstname,secondname,age,address,postcode,telephone,email) VALUES (%s, %s, %s, %s, %s, &s, &s, %s)"
LeaderInput= (LeaderID,FName.get(),SName.get(),Age.get(),Address.get(),Postcode.get(),TelephoneNum.get(),Email.get())
mycursor.execute(sqlcommand,LeaderInput)
mydb.commit()
print("Completed Transaction")
Produces the error
mysql.connector.errors.ProgrammingError: Not all parameters were used in the SQL statement
Further I was wondering how I could make the code look a little more readiable, as you can see from the code their is quite a long line of code contain a lot of placeholder '%s', could I move those to a different line?
Let me know if you would like me to supply additional information.
Thanks
You have &s instead of %s for some of your arguments. Fix it and you should be OK:
sqlcommand="INSERT INTO leaderinfo (leaderID, firstname,secondname,age,address,postcode,telephone,email) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)"
# Here ------------------------------------------------------------------------------------------------------------------------------^---^
I am using python sql cursor to dynamically access my database and I am in a situation where I want to use a variable in place of a table name. So far all of my attempts have resulted in syntax errors, although I (think?) I am doing things as expected? Unless a table name as a variable is different from a value as a variable:
here is what I currently have:
cursor.execute("INSERT INTO %s (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s) "%(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
and I have also tried this:
cursor.execute("INSERT INTO %s (word,item_id,word_tag,unstemmed_word, word_position, TF, normalized_term_frequency, sentence,anthology_id) values(%s, %s,%s, %s, %s, %s, %s, %s, %s)",(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
You cannot dynamically bind object names, only values. You'll have to resort to string manipulation for the table's name. E.g.:
sql = "INSERT INTO {} (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s)".format(table_name)
cursor.execute(sql % (stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
If you are on python >= 3.6 this is probably better:
cursor.execute(f'INSERT INTO {table_name} (word="{stemmedWord}",item_id={fle.split()[0]},word_tag={str(word[1])},unstemmed_word="{oword_posrmuniqeWord}", word_position=word_pos, TF={TF}, normalized_term_frequency={normalized_term_frequency}, sentence="{sentence}",anthology_id={fle.split()[1].split(".")[0])}'
but I think your syntax errors are coming from two things:
you have provided a string to split fle on. (Correction this defaults to space - so is OK!)
you haven't quoted what seem to be obvious strings in you sql fields.
I am using python 2.7 and postgresql 10.0.
For learning purposes I am attempting to get user raw_input and place into an insert execute, but no matter what I do, either it be %s or {} and using .format i am receiving errors.
all values are string except age (int)
specifically
with conn:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES ({}, {}, {}, {})".format(person_first, person_last,
person_email, person_age))
gives me non-string values (from the inputs)
and %s method gives me an error at the first '%' VALUES(%s, %s, %s, %s)
also have attempted VALUES (?, ?, ?, ?) and also unsuccessful similar to %s
The code, as pasted, looks wrong. You have with conn and c.execute. Assuming c is the cursor, and conn is the connection, the way to use them would look like this: with conn.cursor() as c:. The cursor is a context manager that will properly clean itself up when the with block exits.
Also, don't get in the habit of using .format() on your SQL. That will 1) be a vector for SQL injection vulnerabilities and 2) it will break if the input contains a single quote character.
So, combining those two points, your code should look like this:
with conn.cursor() as c:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES (%s, %s, %s, %s)", (person_first, person_last,
person_email, person_age,))
Note that the parameters are passed as a tuple directly to execute; the driver will parse the query, translate to appropriate SQL/parameter for the server, manage quoting, etc. If you are still seeing errors, post the traceback.
See also -
http://initd.org/psycopg/docs/usage.html#with-statement
http://initd.org/psycopg/docs/usage.html#the-problem-with-the-query-parameters
Hope this helps.
Let a = "03bb2997_8b7a_4359_800d_7c14e5175bc9" and I decide to make it a table name of my cassandra. Hence, by using Python,
session.execute("""CREATE TABLE IF NOT EXISTS "%s" (date date, time time, input text, predicted_result text, PRIMARY KEY(date, time));""" % new_modelId)
Take note of the double quotes between %s, without it, the cql will complain SyntaxException: line 1:35 mismatched character '_' expecting '-' since the table name cannot start with numeric character
The table is created successfully. I verified it through cqlsh. However, when I try to insert data into the table with code below:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
(a, str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
InvalidRequest: Error from server: code=2200 [Invalid query] message="unconfigured table '03bb2997_8b7a_4359_800d_7c14e5175bc9'"
I tried with hardcoded table name and it works.
session.execute("""INSERT INTO "03bb2997_8b7a_4359_800d_7c14e5175bc9" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
( str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
I can't figure out what's wrong with Cassandra table naming. It is so confusing and frustrating.
You cannot parameterize keyspace or table name, only the parameters on prepared statements. How you execute it here is not a prepared statement, but your arguments to execute have been confused with how you put your parentheses. You are putting a with the first arg as part of a tuple, so I think it would work to:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
Also, you can always build string yourself as well:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES('%s', '%s', '%s', '%s');""" %
(a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"]))))
Generally its good practice to have hard coded table names for security implications.
As an aside, are you creating tables dynamically? This will eventually cause issues. Cassandra doesn't do well if it has thousands of tables and loading schema gets slower and slower as you make alterations (uses STCS).
Finally solved the problem by using an ugly way.
query = "INSERT INTO " + a
session.execute(query + """ (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""", (
str(dateTime.date()), str(dateTime.time()), json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
Trying to insert four different things into my database but I get following error:
near ".10586": syntax error
Here is my code:
b.execute("INSERT INTO logs VALUES(%s, %s, %s, %s)" % (hostname, os, ip.decode('utf-8'), time.strftime("%x")))
Since you are constructing the query using string formatting, you need quotes around the placeholders - "%s" instead of %s.
Instead, make a parameterized query and pass the query parameters in a second argument to execute() - this way you would let the database driver worry about the type conversion and you would prevent SQL injection attacks. The change is as simple as:
b.execute("INSERT INTO logs VALUES(?, ?, ?, ?)",
(hostname, os, ip.decode('utf-8'), time.strftime("%x")))