tags:

views:

38

answers:

4
+2  Q: 

Python String Formats with SQL Wildcards and LIKE

I'm having a hard time getting some sql in python to correctly go through MySQLdb. It's pythons string formatting that is killing me.

My sql statement is using the LIKE keyword with wildcards. I've tried a number of different things in Python. The problem is once I get one of them working, there's a line of code in MySQLdb that burps on string format.

Attempt 1: "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '%%s%'" % (query)

This is a no go. I get value error: ValueError: unsupported format character ''' (0x27) at index 128

Attempt 2: "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE '\%%s\%'" % (query)

I get the same result from attempt 1.

Attempt 3: like = "LIKE '%" + str(query) + "%'" totalq = "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username " + like

This correctly creates the totalq variable, but now when I go to run the query I get errors from MySQLdb:

File "build/bdist.macosx-10.6-universal/egg/MySQLdb/cursors.py", line 158, in execute query = query % db.literal(args) TypeError: not enough arguments for format string

Attempt 4: like = "LIKE '\%" + str(query) + "\%'" totalq = "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username " + like

This is the same output as attempt 3.

This all seems really strange. How can I use wildcards in sql statements with python?

+1  A: 

Which library are you using to manage your database connection? You don't want to be trying to construct Queries as Strings - this leaves your application susceptible to SQL Injection. Instead, there should be a method that will allow you to prepare / execute statements with variables. In kinterbasdb (the library for Firebird) that's the execute method. Something like this:

qry = "Select Field1, Field2, Field3 From Table1 Where Field1 like ?"

searchParm = '%' + variable + '%'

# con is a connection object.

cursor = con.cursor()

cursor.execute(qry, (searchParm,))
g.d.d.c  2010-06-28 17:41:30
Good answer. Minor point: OP does mention using MySQLdb in the question. In which case the parameter placeholder would be `%s` instead of `?`.
Adam Bernier  2010-06-28 17:46:02
I'm using Tornado's database wrapper class which wraps MySQLdb with some convenience methods. With your suggestion, I've tried this:totalq = "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN tag ON user.id = tag.userId WHERE user.username LIKE ?"; row = self.db.get(totalq,(like,));I end up getting another error: TypeError: not all arguments converted during string formatting
bl4th3rsk1t3  2010-06-28 17:57:59
ignore the above comment. posted before I saw the others..
bl4th3rsk1t3  2010-06-28 17:59:48
A: 

To escape ampersands in Python string formatting expressions, double the ampersand:

'%%%s%%' % search_string

Edit: But I definitely agree with another answer. Direct string substitution in SQL queries is almost always a bad idea.

jrdioko  2010-06-28 17:41:59
+3  A: 

Those queries all appear to be vulnerable to SQL injection attacks.

Try something like this instead:

curs.execute("""SELECT tag.userId, count(user.id) as totalRows 
                  FROM user 
            INNER JOIN tag ON user.id = tag.userId 
                 WHERE user.username LIKE %s""", ('%' + query + '%',))

Where there are two arguments being passed to execute().

Adam Bernier  2010-06-28 17:42:04
That also looks vulnerable to SQL injection. Using parameterized queries through whatever library is used to connect to the database is the way to go.
jrdioko  2010-06-28 17:45:43
@jrdioko: thanks for your comment. Note that there is no actual string interpolation, and that the query *is* prepared by the `execute()` method.
Adam Bernier  2010-06-28 17:49:31
I take that back, it appears that syntax is how the library in question does parameterized queries.
jrdioko  2010-06-28 17:51:45
+3  A: 

It's not about string formatting but the problem is how queries should be executed according to db operations requirements in Python (PEP 249)

try something like this:

sql = "SELECT column FROM table WHERE col1=%s AND col2=%s" 
params = (col1_value, col2_value)
cursor.execute(sql, params)

here are some examples for psycog2 where you have some explanations that should also be valid for mysql (mysqldb also follows PEP249 dba api guidance 2.0: here are examples for mysqldb)

Lukasz Dziedzia  2010-06-28 17:53:48
Thanks. that did it. For some reason I thought MySQL db would figure out how to escape parameters even inside of the sql statement. But now it makes sense to throw parameters in like this.
bl4th3rsk1t3  2010-06-28 18:07:57
Glad it helped you! I spent a lot of time until I figured that some time ago:)
Lukasz Dziedzia  2010-06-28 21:12:11

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP