StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to check and perform SQL statements in Python
primarykey
Id
8874206
data
AcceptedAnswerId
8874368
AnswerCount
2
ClosedDate
CommentCount
6
CommunityOwnedDate
CreationDate
2012-01-15T23:12:28.947
FavoriteCount
0
LastActivityDate
2012-01-15T23:46:37.280
LastEditDate
2012-01-15T23:19:28.783
LastEditorUserId
1150923
OwnerUserId
1150923
ParentId
0
PostTypeId
1
Score
1
ViewCount
4365
LastEditorDisplayName
text
Body
I am using the MySQLdb in Python. I was told that to properly create SQL statements and to avoid SQL injection attacks I should code something like: <pre><code>sql = "insert into table VALUES ( %s, %s, %s )" args = var1, var2, var3 cursor.execute( sql, args ) </code></pre> Or: <pre><code>cursor.execute( "insert into table VALUES ( %s, %s, %s )", var1, var2, var3 ) </code></pre> Or even this (this might be wrong): <pre><code>header = ( 'id', 'first_name', 'last_name' ) values = ( '12', 'bob' , 'smith' ) cursor.execute( "insert into table ( %s ) values ( %s )", ( header + values ) ) </code></pre> When I programmed in PHP, I would normally store my entire SQL statement as a long string then execute the string. Something like (with PostgreSQL): <pre><code>$id = db_prep_string( pg_escape_string( $id ) ); $first_name = db_prep_string( pg_escape_string( $first_name ) ); $last_name = db_prep_string( pg_escape_string( $last_name ) ); $query = "insert into table ( id, first_name, last_name ) values ( $id, $first_name, $last_name )" $result = pg_query( $con, $query ); $retval = pg_fetch_array( $result ); </code></pre> where <code>db_prep_string</code> is <pre><code>function db_prep_string( $value ) { if( !isset( $value ) || (is_null($value)) || preg_match( '/^\s+$/', $value ) || ( $value == '' ) ) { $value = 'null'; } else { $value = "'$value'"; } return $value; } </code></pre> Then to debug, I could simply echo out <code>$query</code> to view the entire SQL statement. Is there something similar I can do with Python? In other words, can I store the safe SQL statement as a string, print it to debug, then execute it? I would like to do something like: <pre><code>id = prevent_sql_injection_string( id ) first_name = prevent_sql_injection_string( first_name ) last_name = prevent_sql_injection_string( last_name ) sql = "insert into table ( id, first_name, last_name ) values " sql += id + ", " sql += first_name + ", " sql += last_name print sql #for debugging cursor.execute( sql ) </code></pre> If not, then how do I view the SQL statement in its entirety in Python? Bonus question: how do I enter null values in a SQL statement using Python?
Tags
<python><mysql><sql>
Title
How to check and perform SQL statements in Python
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. UShobbes3
UserOwnerUserId
1. UShobbes3
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow to check and perform SQL statements in Python
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.