SQLite“ IN”子句的参数替换
发布于 2021-01-29 15:56:57
我正在尝试在Python中为IN子句使用SQLite进行参数替换。这是一个完整的运行示例,演示:
import sqlite3
c = sqlite3.connect(":memory:")
c.execute('CREATE TABLE distro (id INTEGER PRIMARY KEY AUTOINCREMENT, name TEXT)')
for name in 'Ubuntu Fedora Puppy DSL SuSE'.split():
c.execute('INSERT INTO distro (name) VALUES (?)', [ name ] )
desired_ids = ["1", "2", "5", "47"]
result_set = c.execute('SELECT * FROM distro WHERE id IN (%s)' % (", ".join(desired_ids)), ())
for result in result_set:
print result
它输出:
(1,u’Ubuntu’)(2,u’Fedora’)(5,u’SuSE’)
正如文档指出的那样,“ [y]
ou不应使用Python的字符串操作来汇编查询,因为这样做是不安全的;它会使您的程序容易受到SQL注入攻击的影响,”我希望使用参数替换。
当我尝试时:
result_set = c.execute('SELECT * FROM distro WHERE id IN (?)', [ (", ".join(desired_ids)) ])
我得到一个空结果集,当我尝试时:
result_set = c.execute('SELECT * FROM distro WHERE id IN (?)', [ desired_ids ] )
我得到:
InterfaceError:错误绑定参数0-可能是不受支持的类型。
虽然我希望对这个简化问题的任何答案都能奏效,但我想指出,我要执行的实际查询是在双嵌套子查询中。以机智:
UPDATE dir_x_user SET user_revision = user_attempted_revision
WHERE user_id IN
(SELECT user_id FROM
(SELECT user_id, MAX(revision) FROM users WHERE obfuscated_name IN
("Argl883", "Manf496", "Mook657") GROUP BY user_id
)
)
关注者
0
被浏览
52
1 个回答
-
您确实需要正确的
?s数量,但这不会带来sql注入风险:>>> result_set = c.execute('SELECT * FROM distro WHERE id IN (%s)' % ','.join('?'*len(desired_ids)), desired_ids) >>> print result_set.fetchall() [(1, u'Ubuntu'), (2, u'Fedora'), (5, u'SuSE')]
