Help formatting a mysql query string
Steve Holden
sholden at holdenweb.com
Sat Jun 26 09:03:16 EDT 2004
Pierre-Frédéric Caillaud wrote:
>
>> sqlquery = "INSERT INTO %s", tablename + " values(%s,%s,%s)", datavalue"
>
>
> - what are the "," doing here if you are trying to build a string ?
> - you should use the python povided way which is better (yours looks
> like php)
>
> cursor.execute( "INSERT INTO %(tb)s VALUES(%(a)s,%(b)s,%(c)s)", {
> 'tb':tablename, 'a':first data, 'b':second data, etc... }
Better still, create the query string with the right table name in it
and parameter markers for the data:
sqlquery = "INSERT INTO %s VALUES (%%s, %%s, %%s)" % tablename
Supposing tablename is "customer" this gives
"INSERT INTO customer VALUES (%s, %s, %s)"
Then you can use the parameter substitution mechanism of the DB API to
insert your data in there. Suppose datavalue is ("Steve", "Holden", 85)
then you would do
cursor.execute(sqlquery, datavalue)
The problem with building the data portion of the statement is having to
put the single quotes in around strings and escape any single quotes
that might occur in the values you present. It's much easier to use the
parameter substitution mechanism, even though that *can't* be used to
change a table name in most SQL implementations.
I've assumed for the sake of argument that you're using MySQLdb, which
uses the "%s" paramstyle. mxODBC, for example, you'd use the "?" style,
which makes building statements rather easier.
One final comment: it's much safer to use the column names in INSERT, as in
INSERT INTO customer (First, Last, age)
VALUES ('Steve', 'Holden', 95)
because that isolates you from a change in the column ordering, which
can happen during database reorganizations when you insert a new column
without thinking about the consequences. Just paranoia induced by years
of experience, and therefore often effort-saving.
regards
Steve
More information about the Python-list
mailing list