tags:

views:

689

answers:

4
+1  Q: 

SQLite parameter substitution and quotes

I have this line that works OK:

c.execute('select cleanseq from cleanseqs WHERE newID="%s"'%name)

But I want to use SQLite parameter substitution instead instead of string substitution (because I see here that this is safer).

This is my (failed) try:

t = (name,)
c.execute('select cleanseq from cleanseqs WHERE newID="?"',t)

But this line returns:

'Incorrect number of bindings supplied. The current statement uses 0, and there are 1 supplied.'

So the left part of my statement doesn't work. I am supplying one binding (name, in t) but seems that the question mark (?) is not being parsed. If I delete the quotes sourronding the ?, it works. But I want the quotes to remain there since I remember that there are cases where I need them.

So the question is: How do I convert this line:

c.execute('select cleanseq from cleanseqs WHERE newID="%s"'%name)
+2  A: 

Lose the quotes around ?

c.execute('select cleanseq from cleanseqs WHERE newID=?',(t,))

It's treating it as the string "?".

Do you need to use double quotes around the whole expression, instead of singles?

UncleO  2009-06-17 07:32:14
A: 

The library will handle quoting and escaping for you. Simply write your query like this:

c.execute('SELECT cleanseq FROM cleanseqs WHERE newID=?', (name,))
Alex Morega  2009-06-17 09:22:04
+2  A: 

about """If I delete the quotes sourronding the ?, it works. But I want the quotes to remain there since I remember that there are cases where I need them."""

What you remember from when you were building the whole SQL statement yourself is irrelevant.

The new story is: mark with a ? each place in the SQL statement where you want a value substituted then pass in a tuple containing one value per ? -- it's that simple; the wrapper will quote any strings to make sure that they are acceptable SQL constants.

John Machin  2009-06-17 09:37:26
+2  A: 

I find the named-parameter binding style much more readable -- and sqlite3 supports it:

c.execute('SELECT cleanseq FROM cleanseqs WHERE newID=:t', locals())

Note: passing {'t': t} or dict(t=t) instead of locals() would be more punctiliously correct, but in my opinion it would interfere with readability when there are several parameters and/or longer names. In any case, I do find the :t better than the ?;-).

Alex Martelli  2009-06-18 04:43:40

related questions

SQLite3::BusyException
How do I dump the data of some SQLite3 tables?
Database functionality with WPF app: SQLite, SQL CE, other?
SQLite UDF - VBA Callback
JavaScript sqlite
SQLite/PHP read-only?
Is there a MySQLAdmin or SQL Server Management Studio equivalent for SQLite databases on Windows?
What are the advantages of VistaDB
How Scalable is SQLite?
Programmatically access browser history
SQL Pagination
Metalanaguage to describe the Model from MVC to generate identical client and server side code
Java and SQLite
Is there a good IDE for SQLite ?
Does Visual Studio Server Explorer support custom database providers?
Objective-C: Passing around sets of data
What is the best way to connect and use a sqlite database from C#
Quick easy way to migrate SQLite3 to MySQL?
Why does sqlite3-ruby-1.2.2 not work on OS X?
T-Sql date format for seconds since last epoch / formatting for sqlite input
What's the best way of converting a mysql database to a sqlite one?
SQLite vs MySQL
Using SQLite with Visual Studio 2008 and Silverlight
Adobe Air - Using multiple SQLite databases at once
SQLite and XSD