tags:

views:

387

answers:

3
+2  Q: 

Python: inserting double or single quotes around a string

Im using python to access a MySQL database and im getting a unknown column in field due to quotes not being around the variable.

code below:

cur = x.cnx.cursor()
cur.execute('insert into tempPDBcode (PDBcode) values (%s);' % (s)) 
rows = cur.fetchall()

How do i manually insert double or single quotes around the value of s? I've trying using str() and manually concatenating quotes around s but it still doesn't work. The sql statement works fine iv double and triple check my sql query.

A: 

If this were purely a string-handling question, the answer would be tojust put them in the string:

cur.execute('insert into tempPDBcode (PDBcode) values ("%s");' % (s))

That's the classic use case for why Python supports both kinds of quotes.

However as other answers & comments have pointed out, there are SQL-specific concerns that are relevant in this case.

Vicki Laidler  2010-03-13 16:24:25
Although SQL specifies single quotes around strings, so the single and double quotes there should be swapped
Ian Clelland  2010-03-13 16:29:57
Also, this code introduces a very unnecessary security hole.
Mike Graham  2010-03-13 17:37:55
@Ian - thanks, did not know that about SQL. Clearly I did not understand correctly! I've edited accordingly.
Vicki Laidler  2010-03-13 20:53:02
@Vicki: if you care about SO badges, I believe that by deleting this answer at -3 you'll eventually get the "Peer pressure" badge.
ΤΖΩΤΖΙΟΥ  2010-04-12 10:52:28
+9  A: 

You shouldn't use Python's string functions to build the SQL statement. You run the risk of leaving an SQL injection vulnerability. You should do this instead:

cur.execute('insert into tempPDBcode (PDBcode) values (%s);', s)

Note the comma.

Mark Byers  2010-03-13 16:24:25
+5  A: 

Python will do this for you automatically, if you use the database API:

cur = x.cnx.cursor()
cur.execute('insert into tempPDBcode (PDBcode) values (%s)',s)

Using the DB API means that python will figure out whether to use quotes or not, and also means that you don't have to worry about SQL-injection attacks, in case your s variable happens to contain, say,

value'); drop database; '
Ian Clelland  2010-03-13 16:25:01

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP