SQLite parameter substitution and quotes

python sqlite
19,753

Solution 1

about """If I delete the quotes sourronding the ?, it works. But I want the quotes to remain there since I remember that there are cases where I need them."""

What you remember from when you were building the whole SQL statement yourself is irrelevant.

The new story is: mark with a ? each place in the SQL statement where you want a value substituted then pass in a tuple containing one value per ? -- it's that simple; the wrapper will quote any strings to make sure that they are acceptable SQL constants.

Solution 2

To anyone who like me found this thread and got really frustrated by people ignoring the fact that sometimes you can't just ignore the quotes (because you're using say a LIKE command) you can fix this by doing something to the effect of:

var = name + "%"
c.execute('SELECT foo FROM bar WHERE name LIKE ?',(var,))

This will allow you to substitute in wildcards in this situation.

Solution 3

I find the named-parameter binding style much more readable -- and sqlite3 supports it:

c.execute('SELECT cleanseq FROM cleanseqs WHERE newID=:t', locals())

Note: passing {'t': t} or dict(t=t) instead of locals() would be more punctiliously correct, but in my opinion it would interfere with readability when there are several parameters and/or longer names. In any case, I do find the :t better than the ?;-).

Solution 4

Lose the quotes around ?

c.execute('select cleanseq from cleanseqs WHERE newID=?',(t,))

It's treating it as the string "?".

Do you need to use double quotes around the whole expression, instead of singles?

Solution 5

The library will handle quoting and escaping for you. Simply write your query like this:

c.execute('SELECT cleanseq FROM cleanseqs WHERE newID=?', (name,))
Share:
19,753
BlogueroConnor
Author by

BlogueroConnor

Working in Bioinformatics

Updated on June 19, 2022

Comments

  • BlogueroConnor
    BlogueroConnor almost 2 years

    I have this line that works OK:

    c.execute('select cleanseq from cleanseqs WHERE newID="%s"'%name)

    But I want to use SQLite parameter substitution instead instead of string substitution (because I see here that this is safer).

    This is my (failed) try:

    t = (name,)
c.execute('select cleanseq from cleanseqs WHERE newID="?"',t)

    But this line returns:

    'Incorrect number of bindings supplied. The current statement uses 0, and there are 1 supplied.'

    So the left part of my statement doesn't work. I am supplying one binding (name, in t) but seems that the question mark (?) is not being parsed. If I delete the quotes sourronding the ?, it works. But I want the quotes to remain there since I remember that there are cases where I need them.

    So the question is: How do I convert this line:

    c.execute('select cleanseq from cleanseqs WHERE newID="%s"'%name)
  • Martijn
    Martijn about 11 years
    +1 It also makes it easier to re-use a variable multiple times in the same query, without having to re-add it several times.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I install sqlite3 ODBC drivers with unixODBC?
AttributeError: type object 'Team' has no attribute '_meta'
SQLAlchemy - "Dynamic Filter"
Python SQLite3 SQL Injection Vulnerable Code
Python SQLite how to get SQL string statement being executed
Django Error: OperationalError: no such table: polls_poll
Confusion about URI path to configure SQLite database
Dynamically Generating SQL Queries with Python and SQLite3
Python - Reading BLOB type from SQLite3 DB
pandas to_sql method gives error with date column