1 
q = f"""
SELECT * FROM table;
"""
df =  pd.read_sql(q, con=conn)

I have multiple columns that I store in python list [col1, col2, ... , coln]

Whenever I want to query all columns except a few, query all columns then dropping is method currently being used.

I am wondering if passing in list of columns in q

q = f""" SELECT {column_list} FROM table"""

is possible.

Reason for this is to save memory in jupyter notebook by bringing in only necessary columns to the notebook.

Improve this question
0

2 Answers 2

Reset to default
1

You could create a CSV list of columns from your list of column names:

col_list = ['col1', 'col2', 'col3']
cols = ', '.join(col_list)
q = f"""
SELECT {cols} FROM table;
"""
df =  pd.read_sql(q, con=conn)
print(q)  # SELECT col1, col2, col3 FROM table;
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, I swear I've done this before and did not work.... Now it is working fine lol.
1

EDIT: Don't do this. See comments below.

Sure, you can do that. However, using f-strings (or some custom way to format) is not recommended, and one of the reasons is to prevent an SQL injection attack. The preferred way is to use whatever method your database connector uses.

I've used SQLite3 before, and in it we do something like this:

from sqlite3 import connect
connection = connect(path_to_db)
data = connection.execute("SELECT ?, ?, ? FROM table;", ("col1", "col2", "col3"))

The question marks will be substituted for column names in the query. The library has protections built-in that will act if you use this approach. You can also use this for other stuff (like ...WHERE name = ?;).

Read more: https://realpython.com/prevent-python-sql-injection/

Improve this answer

5 Comments

This is totally wrong, column names cannot be bound to ? placeholders, only literal data values. Even if your code runs it should not be used in production.
Another comment: The risk of SQL injection is with data coming from outside your application to be used in a SQL query. Since the OP is building the initial query string internally, from a list of known columns, there isn't much risk of injection here.
@TimBiegeleisen Thanks for letting me know. If you know, can you please tell me why you shouldn't bind ? placeholders to column names?
The prepared statement API doesn't allow binding column or table names. If it did allow that, just think of the security hole: An outside user could decide on which table the query executes.
@TimBiegeleisen That makes sense, thank you. I'll leave my answer (if that's okay) with the edit, so that future users searching this are warned of the bad/incorrect practice.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.