1

I have a SQL query, mad in Python using Psycopg2. The query reads some columns from the arches table:

rows = archesDB.read_all("""SELECT "+str(columns)[1:-1].replace("'","")+" 
                           FROM arches 
                           WHERE lower(arch) like '%%%s%%'""" % (arch.lower()))

I want to parametrize this query, so that it will not specify the columns needed using string concatenation, but as parameters - a far more elegant way.

The naïve way is to SELECT *, and filter out the columns I need. But this burdens the DB and network with unneeded data, so I rather avoid it.

Any ideas?

Adam

Improve this question

2 Answers 2

Reset to default
2

Column names cannot be passed in the SQL string as parameters within the DB API. And it would not make sense to it as well.

If you need to check the column name input, sanitize it beforehand.

The like string should go in as a parameter though

The following code sample would be an improvement if columns variable contains a list of strings for the column names:

rows = archesDB.read_all("""SELECT %s 
                       FROM arches 
                       WHERE lower(arch) like %%s""" % (",".join(columns),),
                       ("%%%s%%" % (arch.lower(),),))

First, the column names are inserted within first substitution (%s) and the last %%s is converted to %s. Then the ("%%%s%%" % (arch.lower(),),) makes a string with %string_content%. And at last, db api escapes the %string_content% and adds quotes to it that finally makes the query.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You cannot parametrize metadata. Create a mapping of some identifier to the desired field list, and use that.

Improve this answer

2 Comments

That is, use SELECT * and filter the desired columns?
A mapping. Like a dict. And then get the field list to put in the query from that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.