Psycopg2 Insert Into Table with Placeholders

python postgresql postgis psycopg2 psycopg
68,053

Solution 1

You are using Python string formatting and this is a Very Bad Idea (TM). Think SQL-injection. The right way to do it is to use bound variables:

cur.execute('INSERT INTO %s (day, elapsed_time, net_time, length, average_speed, geometry) VALUES (%s, %s, %s, %s, %s, %s)', (escaped_name, day, time_length, time_length_net, length_km, avg_speed, myLine_ppy))

where the tuple of parameters is given as second argument to execute(). Also you don't need to escape any value, psycopg2 will do the escaping for you. In this particular case is also suggested to not pass the table name in a variable (escaped_name) but to embed it in the query string: psycopg2 doesn't know how to quote table and column names, only values.

See psycopg2 documentation:

https://www.psycopg.org/docs/usage.html#passing-parameters-to-sql-queries

If you want to programmatically generate the SQL statement, the customary way is to use Python formatting for the statement and variable binding for the arguments. For example, if you have the table name in escaped_name you can do:

query = "INSERT INTO %s (col1, ...) VALUES (%%s, ...)" % escaped_name
curs.execute(query, args_tuple)

Obviously, to use placeholders in your query you need to quote any % that introduce a bound argument in the first format.

Note that this is safe if and only if escaped_name is generated by your code ignoring any external input (for example a table base name and a counter) but it is at risk of SQL injection if you use data provided by the user.

Solution 2

To expand on @Matt's answer, placeholders do not work for identifiers like table names because the name will be quoted as a string value and result in invalid syntax.

If you want to generate such a query dynamically, you can use the referred to pyscopg2.sql module:

from psycopg2.sql import Identifier, SQL

cur.execute(SQL("INSERT INTO {} VALUES (%s)").format(Identifier('my_table')), (10,))

Solution 3

As of psycopg2 v2.7 there is a supported way to do this: see the psycopg2.sql docs.

Share:
68,053
Timothy Dalton
Author by

Timothy Dalton

Updated on July 10, 2022

Comments

  • Timothy Dalton
    Timothy Dalton almost 2 years

    This might be a rather silly question but what am I doing wrong here? It creates the table but the INSERT INTO doesn't work, I guess I'm doing something wrong with the placeholders?

    conn = psycopg2.connect("dbname=postgres user=postgres")
cur = conn.cursor()
escaped_name = "TOUR_2"
cur.execute('CREATE TABLE %s(id serial PRIMARY KEY, day date, elapsed_time varchar,    net_time varchar, length float, average_speed float, geometry GEOMETRY);' % escaped_name)

cur.execute('INSERT INTO %s (day,elapsed_time, net_time, length, average_speed, geometry) VALUES (%s, %s, %s, %s, %s, %s)', (escaped_name, day ,time_length,  time_length_net, length_km, avg_speed,  myLine_ppy))

conn.commit()
cur.close()
conn.close()

    The INSERT INTO call doesn't work, it gives me

    cur.execute('INSERT INTO %s (day,elapsed_time, net_time, length, average_speed,  
geometry) VALUES (%s, %s, %s, %s, %s, %s)'% (escaped_name, day ,time_length,  
time_length_net, length_km, avg_speed,  myLine_ppy))
psycopg2.ProgrammingError: syntax error at or near ":"
LINE 1: ...h, average_speed, geometry) VALUES (2013/09/01 , 2:56:59, 02...

    Can someone help me on this one? Thanks a bunch!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

build SQL dynamic query with psycopg2 python library and using good conversion type tools
Psycopg copy_expert method - How to use properly
psycopg2 cannot find any tables after connection
Fast insertion of pandas DataFrame into Postgres DB using psycopg2
psycopg2 variables format for creating queries
How Postgresql COPY TO STDIN With CSV do on conflic do update?
Insert python list into PostgreSQL database
Psycopg2 execute tuple index out of range
Psycopg2 Operational Error: could not connect to server : No such file or directory
Postgresql table update