I am having trouble finding the documentation to be able to add non-SQL variables to a SQL statement The official docs don't go into that at http://dev.mysql.com/doc/refman/5.0/en/user-variables.html.
How would I do the following in python and valid SQL?
id, provider_id, title = row[0], row[2], row[4]
cursor.execute("INSERT INTO vendor_id VALUES (%s,%s,%s);"%(id, provider_id, title))
You're on the right track but it should look like this.
id, provider_id, title = row[0], row[2], row[4]
cursor.execute("INSERT INTO vendor_id VALUES (%s, %s, %s)", id, provider_id, title)
The python SQL database API automatically disables and ask for a reformation of escaping and quoting of variables. String formatting operators are unnecessary and in this case do not do any formatting of variable quoting. You can format the final array of variables any way you like, just do not use the % operator like you use. If I am correct, the reason for this is that the variables are bound, and not formatted into the text, so that an injection cannot occur
cursor.execute("INSERT INTO vendor_id VALUES (%s, %s, %s)", (id, provider_id, title))
cursor.execute("INSERT INTO vendor_id VALUES (?, ?, ?)", (id, provider_id, title))
should work too.
Related
This question already has answers here:
How to retrieve inserted id after inserting row in SQLite using Python?
(2 answers)
Closed last year.
When I insert a new row into a table, what's the best way to get the autoincremented primary key of the row I just created? Like this:
def create_address_and_get_id(address_line_1, address_line_2, city, state_abbrev, postcode, country):
db = get_db()
db.execute(
'INSERT INTO mailing_address (address_line_1, address_line_2,'
' city, state_abbrev, postcode, country)'
' VALUES (?, ?, ?, ?, ?, ?)'
(address_line_1, address_line_2, city, state_abbrev, postcode, country)
)
db.commit()
#return ???
I've seen how to do this in other systems but not in python.
you are looking for the lastrowid:
https://docs.python.org/3/library/sqlite3.html:
lastrowid
This read-only attribute provides the rowid of the last modified row. It is only set if you issued an INSERT or a REPLACE statement using the execute() method. For operations other than INSERT or REPLACE or when executemany() is called, lastrowid is set to None.
If the INSERT or REPLACE statement failed to insert the previous successful rowid is returned.
Changed in version 3.6: Added support for the REPLACE statement.
I am using python sql cursor to dynamically access my database and I am in a situation where I want to use a variable in place of a table name. So far all of my attempts have resulted in syntax errors, although I (think?) I am doing things as expected? Unless a table name as a variable is different from a value as a variable:
here is what I currently have:
cursor.execute("INSERT INTO %s (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s) "%(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
and I have also tried this:
cursor.execute("INSERT INTO %s (word,item_id,word_tag,unstemmed_word, word_position, TF, normalized_term_frequency, sentence,anthology_id) values(%s, %s,%s, %s, %s, %s, %s, %s, %s)",(table_name, stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
You cannot dynamically bind object names, only values. You'll have to resort to string manipulation for the table's name. E.g.:
sql = "INSERT INTO {} (word=%s,item_id=%s,word_tag=%s,unstemmed_word=%s, word_position=%s, TF=%s, normalized_term_frequency=%s, sentence=%s,anthology_id=%s)".format(table_name)
cursor.execute(sql % (stemmedWord,fle.split()[0], str(word[1]), uniqeWord, word_pos, TF, normalized_term_frequency, sentence, fle.split()[1].split(".")[0]))
If you are on python >= 3.6 this is probably better:
cursor.execute(f'INSERT INTO {table_name} (word="{stemmedWord}",item_id={fle.split()[0]},word_tag={str(word[1])},unstemmed_word="{oword_posrmuniqeWord}", word_position=word_pos, TF={TF}, normalized_term_frequency={normalized_term_frequency}, sentence="{sentence}",anthology_id={fle.split()[1].split(".")[0])}'
but I think your syntax errors are coming from two things:
you have provided a string to split fle on. (Correction this defaults to space - so is OK!)
you haven't quoted what seem to be obvious strings in you sql fields.
I am using python 2.7 and postgresql 10.0.
For learning purposes I am attempting to get user raw_input and place into an insert execute, but no matter what I do, either it be %s or {} and using .format i am receiving errors.
all values are string except age (int)
specifically
with conn:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES ({}, {}, {}, {})".format(person_first, person_last,
person_email, person_age))
gives me non-string values (from the inputs)
and %s method gives me an error at the first '%' VALUES(%s, %s, %s, %s)
also have attempted VALUES (?, ?, ?, ?) and also unsuccessful similar to %s
The code, as pasted, looks wrong. You have with conn and c.execute. Assuming c is the cursor, and conn is the connection, the way to use them would look like this: with conn.cursor() as c:. The cursor is a context manager that will properly clean itself up when the with block exits.
Also, don't get in the habit of using .format() on your SQL. That will 1) be a vector for SQL injection vulnerabilities and 2) it will break if the input contains a single quote character.
So, combining those two points, your code should look like this:
with conn.cursor() as c:
c.execute("INSERT INTO people(person_first, person_last, person_email,
person_age) VALUES (%s, %s, %s, %s)", (person_first, person_last,
person_email, person_age,))
Note that the parameters are passed as a tuple directly to execute; the driver will parse the query, translate to appropriate SQL/parameter for the server, manage quoting, etc. If you are still seeing errors, post the traceback.
See also -
http://initd.org/psycopg/docs/usage.html#with-statement
http://initd.org/psycopg/docs/usage.html#the-problem-with-the-query-parameters
Hope this helps.
Let a = "03bb2997_8b7a_4359_800d_7c14e5175bc9" and I decide to make it a table name of my cassandra. Hence, by using Python,
session.execute("""CREATE TABLE IF NOT EXISTS "%s" (date date, time time, input text, predicted_result text, PRIMARY KEY(date, time));""" % new_modelId)
Take note of the double quotes between %s, without it, the cql will complain SyntaxException: line 1:35 mismatched character '_' expecting '-' since the table name cannot start with numeric character
The table is created successfully. I verified it through cqlsh. However, when I try to insert data into the table with code below:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
(a, str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
InvalidRequest: Error from server: code=2200 [Invalid query] message="unconfigured table '03bb2997_8b7a_4359_800d_7c14e5175bc9'"
I tried with hardcoded table name and it works.
session.execute("""INSERT INTO "03bb2997_8b7a_4359_800d_7c14e5175bc9" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
( str(dateTime.date()), str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]), json.dumps(json.loads(predicted_result_json)["0"])))
I can't figure out what's wrong with Cassandra table naming. It is so confusing and frustrating.
You cannot parameterize keyspace or table name, only the parameters on prepared statements. How you execute it here is not a prepared statement, but your arguments to execute have been confused with how you put your parentheses. You are putting a with the first arg as part of a tuple, so I think it would work to:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""",
a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
Also, you can always build string yourself as well:
session.execute("""INSERT INTO "%s" (date, time, input, predicted_result) VALUES('%s', '%s', '%s', '%s');""" %
(a,
str(dateTime.date()),
str(dateTime.time()),
json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"]))))
Generally its good practice to have hard coded table names for security implications.
As an aside, are you creating tables dynamically? This will eventually cause issues. Cassandra doesn't do well if it has thousands of tables and loading schema gets slower and slower as you make alterations (uses STCS).
Finally solved the problem by using an ugly way.
query = "INSERT INTO " + a
session.execute(query + """ (date, time, input, predicted_result) VALUES(%s, %s, %s, %s);""", (
str(dateTime.date()), str(dateTime.time()), json.dumps(json.loads(input_json)["0"]),
json.dumps(json.loads(predicted_result_json)["0"])))
I use Python (2.7) and I work with MySQLdb directory to control my SQL database (MySQL workbench 6)
I have a script that updates an sql table every ten minutes. The script deletes everything on the table at first and then insert all the rows again (with the updated data).
This is a sketch of my code:
db=MySQLdb.Connect("localhost", "admin", "admin")
cursor = db.cursor()
cursor.execute("use my_scheme")
cursor.execute("delete from my_table")
for item in updated_item_list:
cursor.execute("insert into my_table values (%s, %s, %s)", (item[0], item[1], item[2]))
db.commit()
cursor.fetchall()
Now, for some reason, I got weird behavior sometimes: the script starts updating the table and some of the rows are actually being inserted but it stops in the middle with:
_mysql_exceptions.IntegrityError: (1062, "Duplicate entry for key 'PRIMARY'")
Every time, different key is being picked as duplicate. How can it be? All the entries have been deleted before. Any idea?
Thanks a lot!
You seem to be inserting constants into the database, not your actual values.Try this.
cursor.execute("INSERT INTO my_table values " +
"(val1, val2, val3) VALUES (%s, %s, %s, %s)",
(val1, val2, val3))