Skip to content Skip to sidebar Skip to footer
Home / Postgresql / Psycopg2 / Python / Sql

How To Remove The Quotes From A String For Sql Query In Python?

Post a Comment
I have a dictionary of database names. I take a name from the dictionary database_name = database_dict[i] lets say the value for database_name is 'foo' Using Psycopg2 I am execut

Solution 1: 

from psycopg2.extensionsimportAsIs
cur.execute("INSERT INTO %s VALUES(...);", AsIs(database_name))

http://initd.org/psycopg/docs/extensions.html#psycopg2.extensions.AsIs

BTW that is not a database name, it is a table name.

Solution 2:

The structural components of an SQL query such as table and field names cannot be parameterized as you attempt in second argument of cursor.execute(query, params). Only numeric/literal data values can be parameterized.

Consider interpolating the database_name variable into the SQL query string but do so safely with psycopg2's sqlIdentifier() with str.format:

from psycopg2 import sql
...

cur.execute(sql.SQL('INSERT INTO {} VALUES(...)').format(sql.Identifier(database_name)))

Valid parameterizaiton in your case would be to bind the data values passed in the VALUES(...) in append query such as VALUES(%s, %s, %s). Alternatively in other queries: 

"SELECT %s AS NewColumn...""...WHERE fieldname = %s OR otherfield IN (%s, %s, %s)""...HAVING Max(NumColumn) >= %s"

Solution 3:

Note: I haven't use psycopg2, this is based on what I know from similar database libraries.

A table name is an identifier and they get quoted and escaped differently than values. I believe you should use psycopg2.extensions.quote_ident(str, scope) to quote and escape it. I believe it uses the PostgreSQL function PQescapeIdentifier().

PQescapeIdentifier escapes a string for use as an SQL identifier, such as a table, column, or function name. This is useful when a user-supplied identifier might contain special characters that would otherwise not be interpreted as part of the identifier by the SQL parser, or when the identifier might contain upper case characters whose case should be preserved.

Then it will be quoted and escaped and can be safely added to the SQL string using normal string operations without risking a SQL injection attack, or using AsIs(quote_ident(database_name)) as a value to .execute.

Solution 4:

If fact, database_name is "'foo'".

To drop the single quote:

database_name = database_name.replace("'", "")

You may like these posts

Post a Comment for "How To Remove The Quotes From A String For Sql Query In Python?"