无法在WHERE-in-SQL子句中获取python元组作为输入?

2024-10-02 14:16:31 发布

您现在位置:Python中文网/ 问答频道 /正文
8479 3

Python代码:

query是一个UPDATE查询,错误只是说明tuple有问题,它作为参数传递给IN子句

pyList是Python列表,DBOBJ是连接对象

pyTuple = tuple(pyList)
print(pyTuple)

pyTupleSQLFormat = DBOBJ.string_literal(pyTuple)
print(pyTupleSQLFormat)

query = "UPDATE seats SET isReserved = 1 WHERE screen_name='{}' AND seat_number IN %s".format(screenname)
args = (pyTupleSQLFormat,)
CurOBJ.execute(query,args)

控制台输出:Python

('B1', 'B2', 'A6', 'A7')
b"'(\\'B1\\', \\'B2\\', \\'A6\\', \\'A7\\')'"
(1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\\'(\\\\\\'B1\\\\\\', \\\\\\'B2\\\\\\', \\\\\\'A6\\\\\\', \\\\\\'A7\\\\\\')\\''' at line 1")

Tags: inyourargsupdatequeryb2b1print
1条回答
网友
1楼 · 发布于 2024-10-02 14:16:31

string_literal(...)似乎在准备将对象插入char/text字段,而不是以可以附加到查询的方式对其进行字符串化

可以通过dynamically building parameter placeholders将元组内容作为查询的附加参数传入。这样做的另一个好处是使用参数化来避免SQL注入和相关问题

screen_name = "example"
seat_numbers = [1, 2, 3, 4]

args = tuple([screen_name] + seat_numbers)

query = """
UPDATE 
    seats 
SET 
    isReserved = 1 
WHERE 
    screen_name=%s AND 
    seat_number IN ({placeholders})
""".format(
    placeholders=",".join(["%s"] * len(seat_numbers)),
)
print(query)
print(args)

cursor.execute(query, args)

相关问题 更多 >

    编程相关推荐

    热门问题