I want to update fields in a table 'my_table', but it reports:
ProgrammingError: (1064, 'You have an error in your SQL syntax; ...
PS: values is a list of strings and len(values) == len(fields)
Expression of sql is:
'update my_table set field_a=\\'%s\\',field_b=\\'%s\\',field_c=\\'%s\\',field_d=\\'%s\\''
Because len(fields) may change when running the program, I use the following codes:
field_str = ''
for field in fields:
field_str += (field + "='%s',")
field_str = field_str[: -1]
sql = "update %s set %s" % (my_table, field_str)
values = [current_response_dict[site][info_type] for site in site_list for info_type in self.all_info_type]
cursor.execute(sql, values)
conn.commit()
The ' are unnecessary. And you have a update without where-clause?
sql = "update %s set %s" % (my_table, ','.join('%s=%%s' % f for f in fields))
values = [current_response_dict[site][info_type] for site in site_list for info_type in self.all_info_type]
cursor.execute(sql, values)
Related
I am trying to update a SQL Table given a users input I have the following code. The user can choose to enter in/change the below fields which are defaulted to the values in the SQL table. However when I run the code I get the following error message
mysql.connector.errors.ProgrammingError: Not enough parameters for the SQL statement
I have counted it many times and it seems like the %s match the passed parameters. Am I missing something?
user = User_name_body.get('1.0',END)
passw = Password_text.get('1.0',END)
first = First_name.get('1.0',END)
last = Last_name.get('1.0',END)
phone = Phone_number.get('1.0',END)
email = Email_address.get('1.0',END)
mycursor = mydb.cursor()
sql = "UPDATE t_users SET Email_address=%s, First_name=%s, Last_name=%s, Phone_Number=%s, Password=%s WHERE User_Name=%s VALUES(%s,%s,%s,%s,%s,%s)"
val = (email, first, last, phone, passw,user)
mycursor.execute(sql, val)
mydb.commit()
mydb.close()
UPDATE does not take VALUES, you should change your sql query line to look like this:
sql = "UPDATE t_users SET Email_address=%s, First_name=%s, Last_name=%s, Phone_Number=%s, Password=%s WHERE User_Name=%s"
Python throws an error because you are asking for 12 parameters and only providing 6.
Prepare your sql data like this:
sql = """ UPDATE t_users SET Email_address=%s, First_name=%s, Last_name=%s, Phone_Number=%s, Password=%s WHERE User_Name = %s """
val = (email, first, last, phone, passw, user)
mycursor.execute(sql, val)
or you can do it like this
sql = "UPDATE btms_users SET btms_users.user='%s', btms_users.secret='%s' , btms_users.first_name='%s', " \
"btms_users.second_name='%s', btms_users.email='%s', btms_users.mobile='%s' " \
"WHERE btms_users.id='%s'" % (user_name, user_secret, user_firstname, user_lastname,
user_email, user_phone, user_id)
mycursor.execute(sql)
and here is a full working example:
import mysql.connector
mydb = mysql.connector.connect(
host="localhost",
user="root",
password="test",
database="test"
)
mycursor = mydb.cursor()
sql = "UPDATE items SET name = %s WHERE id = %s"
val = ("Test", 1)
mycursor.execute(sql, val)
mydb.commit()
print(mycursor.rowcount, "record(s) affected")
I am trying to write data in a dictionary back into a SQL Server database table with pymssql.
But I am getting this error:
ValueError: more placeholders in sql than params available
Here is my code:
cursor = conn.cursor()
for key in dictW:
x = dictW[key]
sql = 'UPDATE tablename SET col = %s WHERE %s = #url '
cursor.executemany(sql, (key, x))
conn.commit()
conn.close()
What am I doing wrong here?
You are attempting to execute your queries one by one but are using executemany(). You should consider using a simple execute() instead:
cursor = conn.cursor()
for key in dictW:
x = dictW[key]
sql = 'UPDATE tablename SET col = %s WHERE %s = #url '
cursor.execute(sql, (key, x))
conn.commit()
conn.close()
If you want to use executemany(), you should make a list of tuples like this:
cursor = conn.cursor()
params = [(k, v) for k, v in dictW.items()]
sql = 'UPDATE tablename SET col = %s WHERE %s = #url '
cursor.executemany(sql, params)
conn.commit()
conn.close()
I met problems while using sqlite3 in python.
def getEntryId(self, table, field, value, createNew=True):
cur=self.con.execute("select rowid from %s where %s = '%s'" % (table, field, value))
res=cur.fetchone()
if res==None:
cur=self.con.execute("insert into %s (%s) values('%s') " % (table, field, value))
return cur.lastrowid
else:
return res[0]
However, I met this:
OperationalError: unrecognized token: "'''". It seems that my 2nd line of codes is incorrect.
I can not figure out why, so I do the same thing:
cu.execute("select rowid from urllist where %s = '%s'" % ('url', 'yes'))
It came out without an error. Why? How could I fix it?
You should parameterize the query. You cannot though parameterize the table and field names, you can use string formatting to insert the table and field names into the query, but make sure you either trust the source, or validate the values properly:
query = "select rowid from {table} where {field} = %s".format(table=table, field=field)
cur = self.con.execute(query, (value, ))
res = cur.fetchone()
The parameterization not only helps to prevent SQL injection attacks, but also handles the data types conversions, escapes the parameters properly, which may fix your current problem as well.
I'm using python Flask and can't get my head around why i'm getting error:
ProgrammingError: syntax error at or near "IF"
LINE 1: IF SELECT count(*) FROM ProfilePicture WHERE userid =
Here is my code:
> def updateProfilePicture(filename, image, userid):
> cursor = getCursor()
> binary = psycopg2.Binary(image)
> data = (userid, filename, binary, userid, filename, binary, userid)
> #SQL = """INSERT INTO ProfilePicture(id, image, userid)
> # VALUES (%s, %s, %s)"""
> SQL = """IF SELECT count(*) FROM ProfilePicture WHERE userid = %s > 0
> THEN
> UPDATE ProfilePicture SET id = %s, image = %s WHERE userid = %s
> ELSE
> INSERT INTO ProfilePicture(id, image, userid) VALUES (%s, %s, %s)
> END IF"""
> print cursor.mogrify(SQL, data)
> cursor.execute(SQL, data)
> cursor.connection.commit()
> cursor.close()
> return
A simple insert works well but not the if statement.
Appreciate your help!
Since "ON CONFLICT" syntax is introduced in PostgreSQL 9.5, you have to test the existence of the row in python.
If you have a unique constraint on the userid you can use exceptions:
def updateProfilePicture(filename, image, userid):
cursor = getCursor()
binary = psycopg2.Binary(image)
data = (userid, filename, binary, userid, filename, binary, userid)
SQL = """INSERT INTO ProfilePicture(id, image, userid) VALUES (%s, %s, %s)"""
try:
cursor.execute(SQL, data)
except:
cursor.rollback()
SQL = """UPDATE ProfilePicture SET id = %s, image = %s WHERE userid = %s"""
cursor.execute(SQL, data)
cursor.connection.commit()
cursor.close()
That's not SQL syntax, it's the PL/pgSQL procedural language. It's primarily used to write functions. You can use it for a one-off command, but you need to put it in a DO block:
DO $$
BEGIN
IF (SELECT count(*) FROM ProfilePicture WHERE userid = %s) > 0 THEN
UPDATE ProfilePicture SET id = %s, image = %s WHERE userid = %s;
ELSE
INSERT INTO ProfilePicture(id, image, userid) VALUES (%s, %s, %s);
END IF;
END
$$
Note, however, that your logic will not work if someone else is inserting into/deleting from ProfilePicture at the same time; you risk either losing the update, or inserting multiple records for the same userid. Avoiding this is less than straightforward.
How do I do this correctly:
I want to do a query like this:
query = """SELECT * FROM sometable
order by %s %s
limit %s, %s;"""
conn = app_globals.pool.connection()
cur = conn.cursor()
cur.execute(query, (sortname, sortorder, limit1, limit2) )
results = cur.fetchall()
All works fine but the order by %s %s is not putting the strings in correctly. It is putting the two substitutions in with quotes around them.
So it ends up like:
ORDER BY 'somecol' 'DESC'
Which is wrong should be:
ORDER BY somecol DESC
Any help greatly appreciated!
paramstyle
Parameter placeholders can only be used to insert column values. They can not be used for other parts of SQL, such as table names, statements, etc.
%s placeholders inside query string are reserved for parameters. %s in 'order by %s %s' are not parameters. You should make query string in 2 steps:
query = """SELECT * FROM sometable order by %s %s limit %%s, %%s;"""
query = query % ('somecol', 'DESC')
conn = app_globals.pool.connection()
cur = conn.cursor()
cur.execute(query, (limit1, limit2) )
results = cur.fetchall()
DO NOT FORGET to filter first substitution to prevent SQL-injection possibilities
Not all parts of an SQL query can be parametrized. The DESC keyword for example is not
a parameter. Try
query = """SELECT * FROM sometable
order by %s """ + sortorder + """
limit %s, %s"""
cur.execute(query, (sortname, limit1, limit2) )
You could try this alternatively...
query = """SELECT * FROM sometable
order by {0} {1}
limit {2}, {3};"""
sortname = 'somecol'
sortorder = 'DESC'
limit1 = 'limit1'
limit2 = 'limit2'
print(query.format(sortname, sortorder, limit1, limit2))