Trying to insert four different things into my database but I get following error:
near ".10586": syntax error
Here is my code:
b.execute("INSERT INTO logs VALUES(%s, %s, %s, %s)" % (hostname, os, ip.decode('utf-8'), time.strftime("%x")))
Since you are constructing the query using string formatting, you need quotes around the placeholders - "%s" instead of %s.
Instead, make a parameterized query and pass the query parameters in a second argument to execute() - this way you would let the database driver worry about the type conversion and you would prevent SQL injection attacks. The change is as simple as:
b.execute("INSERT INTO logs VALUES(?, ?, ?, ?)",
(hostname, os, ip.decode('utf-8'), time.strftime("%x")))
Related
I am using python sql cursor to dynamically access my database and I am in a situation where I want to use a variable in place of a table name. So far all of my attempts have resulted in syntax errors, although I (think?) I am doing things as expected? Unless a table name as a variable is different from a value as a variable:
here is what I currently have:
cursor.execute("INSERT INTO %s (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s) "%(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
and I have also tried this:
cursor.execute("INSERT INTO %s (word,item_id,word_tag,unstemmed_word, word_position, TF, normalized_term_frequency, sentence,anthology_id) values(%s, %s,%s, %s, %s, %s, %s, %s, %s)",(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
You cannot dynamically bind object names, only values. You'll have to resort to string manipulation for the table's name. E.g.:
sql = "INSERT INTO {} (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s)".format(table_name)
cursor.execute(sql % (stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
If you are on python >= 3.6 this is probably better:
cursor.execute(f'INSERT INTO {table_name} (word="{stemmedWord}",item_id={fle.split()[0]},word_tag={str(word[1])},unstemmed_word="{oword_posrmuniqeWord}", word_position=word_pos, TF={TF}, normalized_term_frequency={normalized_term_frequency}, sentence="{sentence}",anthology_id={fle.split()[1].split(".")[0])}'
but I think your syntax errors are coming from two things:
you have provided a string to split fle on. (Correction this defaults to space - so is OK!)
you haven't quoted what seem to be obvious strings in you sql fields.
I am using python 2.7 and postgresql 10.0.
For learning purposes I am attempting to get user raw_input and place into an insert execute, but no matter what I do, either it be %s or {} and using .format i am receiving errors.
all values are string except age (int)
specifically
with conn:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES ({}, {}, {}, {})".format(person_first, person_last,
person_email, person_age))
gives me non-string values (from the inputs)
and %s method gives me an error at the first '%' VALUES(%s, %s, %s, %s)
also have attempted VALUES (?, ?, ?, ?) and also unsuccessful similar to %s
The code, as pasted, looks wrong. You have with conn and c.execute. Assuming c is the cursor, and conn is the connection, the way to use them would look like this: with conn.cursor() as c:. The cursor is a context manager that will properly clean itself up when the with block exits.
Also, don't get in the habit of using .format() on your SQL. That will 1) be a vector for SQL injection vulnerabilities and 2) it will break if the input contains a single quote character.
So, combining those two points, your code should look like this:
with conn.cursor() as c:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES (%s, %s, %s, %s)", (person_first, person_last,
person_email, person_age,))
Note that the parameters are passed as a tuple directly to execute; the driver will parse the query, translate to appropriate SQL/parameter for the server, manage quoting, etc. If you are still seeing errors, post the traceback.
See also -
http://initd.org/psycopg/docs/usage.html#with-statement
http://initd.org/psycopg/docs/usage.html#the-problem-with-the-query-parameters
Hope this helps.
I have an SQL query which is giving an error:
cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`) VALUES (1,0,?,?,?)",(param1,param2,param3,))
I don't want to use %s in query because it is prone to SQL injection and I am taking input from users.
mysqlclient uses %s as the placeholder (see the example in the docs).
Change your code to the following:
cur.execute("INSERT INTO `DB` (`ban`, `dntr`, `usrnm`, `id`, `dis`) VALUES (1,0,%s,%s,%s)", (param1,param2,param3,))
You're right to be concerned about SQL injection, but the above is OK. You are still using execute with parameters, so they will be escaped.
The thing you shouldn't do is cur.execute(query % parameters, []). This is vulnerable to SQL injection.
Let a = "03bb2997_8b7a_4359_800d_7c14e5175bc9" and I decide to make it a table name of my cassandra. Hence, by using Python,
session.execute("""CREATE TABLE IF NOT EXISTS "%s" (date date, time time, input text, predicted_result text, PRIMARY KEY(date, time));""" % new_modelId)
Take note of the double quotes between %s, without it, the cql will complain SyntaxException: line 1:35 mismatched character '_' expecting '-' since the table name cannot start with numeric character
The table is created successfully. I verified it through cqlsh. However, when I try to insert data into the table with code below:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
(a, str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
InvalidRequest: Error from server: code=2200 [Invalid query] message="unconfigured table '03bb2997_8b7a_4359_800d_7c14e5175bc9'"
I tried with hardcoded table name and it works.
session.execute("""INSERT INTO "03bb2997_8b7a_4359_800d_7c14e5175bc9" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
( str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
I can't figure out what's wrong with Cassandra table naming. It is so confusing and frustrating.
You cannot parameterize keyspace or table name, only the parameters on prepared statements. How you execute it here is not a prepared statement, but your arguments to execute have been confused with how you put your parentheses. You are putting a with the first arg as part of a tuple, so I think it would work to:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
Also, you can always build string yourself as well:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES('%s', '%s', '%s', '%s');""" %
(a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"]))))
Generally its good practice to have hard coded table names for security implications.
As an aside, are you creating tables dynamically? This will eventually cause issues. Cassandra doesn't do well if it has thousands of tables and loading schema gets slower and slower as you make alterations (uses STCS).
Finally solved the problem by using an ugly way.
query = "INSERT INTO " + a
session.execute(query + """ (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""", (
str(dateTime.date()), str(dateTime.time()), json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
I am utilizing PyMySQL with Python 2.7 and try to execute the following statement:
'INSERT INTO %s (%s, %s) VALUES (%s, %s) ON DUPLICATE KEY UPDATE %s = %s'
With the following parameters:
('artikel', 'REC_ID', 'odoo_created', u'48094', '2014-12-23 10:00:00', 'odoo_modified', '2014-12-23 10:00:00')
Always resulting in:
{ProgrammingError}(1064, u"You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near ''artikel' ('REC_ID', 'odoo_created')\n
VALUES ('48094', '2014-12-' at line 1")
Which seems to me like PyMySQL is escaping all strings during formatting. How can I prevent that for database identifiers like table and column names? It corrupts the statement, since SELECTs from string literals (SELECT * FROM "table") are not possible in comparison to tables (SELECT * FROM table).
That's the point of DB API's substitution. It escapes values. You really shouldn't need to escape table/column names.
I'd use something like:
execute('''INSERT INTO {} ({}, {}) VALUES (%s, %s) ON DUPLICATE KEY UPDATE {} = %s'''
.format('artikel', 'REC_ID', 'odoo_created', 'odoo_modified'),
(u'48094', '2014-12-23 10:00:00', '2014-12-23 10:00:00')
)
Or, you know, just write the names directly.