Escaping optional parameter in WHERE clause

S

someone

Hi,

as you can see below I have some optional parameter for my query (mf,
age). They are in WHERE clause only if not empty.
In this function they are not escaped as, for example, 'search'
parameter, cause I can't pass them to execute function, which does
escaping automatically.

I could write another if's block like that

if mf and not age:
db.execute(query, search, mf, limit)
if age and not mf:
db.execute(query, search, age, limit)
if age and mf:
db.execute(query, search, mf, age, limit)

Is there a better way to deal with optional WHERE clause?

Pet

def getData(self, db, params):
search = params.get('search','')
age = params.get('age','')
mf = params.get('mf','')
limit = params.get('limit',1)

if mf:
mf = " AND mf = %s " % mf
if age:
age = " AND age = %s " % age

query = """
SELECT * FROM mytable
WHERE class = 'P'
AND name = %s
""" + mf + """
""" + age + """
ORDER BY id DESC
LIMIT %s;
"""

db.execute(query, search, limit)
result = db.fetchall()
return result
 
M

MRAB

someone said:
Hi,

as you can see below I have some optional parameter for my query (mf,
age). They are in WHERE clause only if not empty.
In this function they are not escaped as, for example, 'search'
parameter, cause I can't pass them to execute function, which does
escaping automatically.

I could write another if's block like that

if mf and not age:
db.execute(query, search, mf, limit)
if age and not mf:
db.execute(query, search, age, limit)
if age and mf:
db.execute(query, search, mf, age, limit)

Is there a better way to deal with optional WHERE clause?

Pet

def getData(self, db, params):
search = params.get('search','')
age = params.get('age','')
mf = params.get('mf','')
limit = params.get('limit',1)

if mf:
mf = " AND mf = %s " % mf
if age:
age = " AND age = %s " % age

query = """
SELECT * FROM mytable
WHERE class = 'P'
AND name = %s
""" + mf + """
""" + age + """
ORDER BY id DESC
LIMIT %s;
"""

db.execute(query, search, limit)
result = db.fetchall()
return result
Click to expand...
How about:

def getData(self, db, params):
search = params.get('search', '')
age = params.get('age', '')
mf = params.get('mf', '')
limit = params.get('limit', 1)

query = """
SELECT * FROM mytable
WHERE class = 'P'
AND name = %s
"""
values = [search]

if mf:
query += " AND mf = %s"
values.append(mf)

if age:
query += " AND age = %s"
values.append(age)

query += """
ORDER BY id DESC
LIMIT %s;
"""
values.append(limit)

db.execute(query, *values)
result = db.fetchall()
return result
 
S

someon

someone said:
Hi,
Click to expand...
as you can see below I have some optional parameter for my query (mf,
age). They are in WHERE clause only if not empty.
In this function they are not escaped as, for example, 'search'
parameter, cause I can't pass them to execute function, which does
escaping automatically.
Click to expand...
I could write another if's block like that
Click to expand...
    if mf and not age:
        db.execute(query, search, mf, limit)
    if age and not mf:
        db.execute(query, search, age, limit)
    if age and mf:
        db.execute(query, search, mf, age, limit)
Click to expand...
Is there a better way to deal with optional WHERE clause?

    def getData(self, db, params):
        search = params.get('search','')
        age = params.get('age','')
        mf = params.get('mf','')
        limit = params.get('limit',1)
Click to expand...
        if mf:
            mf = " AND mf = %s " % mf
        if age:
            age = " AND age = %s " % age
Click to expand...
        query = """
            SELECT * FROM mytable
            WHERE class = 'P'
            AND name = %s
            """ +  mf +  """
            """ +  age +  """
            ORDER BY id DESC
            LIMIT %s;
        """
Click to expand...
        db.execute(query, search, limit)
        result = db.fetchall()
        return result
Click to expand...

How about:

     def getData(self, db, params):
         search = params.get('search', '')
         age = params.get('age', '')
         mf = params.get('mf', '')
         limit = params.get('limit', 1)

         query = """
             SELECT * FROM mytable
             WHERE class = 'P'
             AND name = %s
         """
         values = [search]

         if mf:
             query += " AND mf = %s"
             values.append(mf)

         if age:
             query += " AND age = %s"
             values.append(age)

         query += """
             ORDER BY id DESC
             LIMIT %s;
         """
         values.append(limit)

         db.execute(query, *values)
         result = db.fetchall()
         return result
Click to expand...

Like it. Thanks, man!
 
S

Steve Holden

MRAB said:
someone said:
Hi,

as you can see below I have some optional parameter for my query (mf,
age). They are in WHERE clause only if not empty.
In this function they are not escaped as, for example, 'search'
parameter, cause I can't pass them to execute function, which does
escaping automatically.

I could write another if's block like that

if mf and not age:
db.execute(query, search, mf, limit)
if age and not mf:
db.execute(query, search, age, limit)
if age and mf:
db.execute(query, search, mf, age, limit)

Is there a better way to deal with optional WHERE clause?

Pet

def getData(self, db, params):
search = params.get('search','')
age = params.get('age','')
mf = params.get('mf','')
limit = params.get('limit',1)

if mf:
mf = " AND mf = %s " % mf
if age:
age = " AND age = %s " % age

query = """
SELECT * FROM mytable
WHERE class = 'P'
AND name = %s
""" + mf + """
""" + age + """
ORDER BY id DESC
LIMIT %s;
"""

db.execute(query, search, limit)
result = db.fetchall()
return result
Click to expand...
How about:

def getData(self, db, params):
search = params.get('search', '')
age = params.get('age', '')
mf = params.get('mf', '')
limit = params.get('limit', 1)

query = """
SELECT * FROM mytable
WHERE class = 'P'
AND name = %s
"""
values = [search]

if mf:
query += " AND mf = %s"
values.append(mf)

if age:
query += " AND age = %s"
values.append(age)

query += """
ORDER BY id DESC
LIMIT %s;
"""
values.append(limit)

db.execute(query, *values)
Click to expand...

db.execute(query, tuple(values))
result = db.fetchall()
return result
Click to expand...

The .execute() method should take two arguments, the second being a
tuple of data values. Some interfaces don't like an empty tuple when the
query has no parameters.

regards
Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SQL user function returning list for IN clause 5
escaping characters in filenames 4
Search Results with Pagination 0
String substitution VS proper mysql escaping 2
optional parameter in a template 3
Syntax for "OR" in WHERE clause passing parameters from C# ASP.NET 6
CONTAINS clause problem with apostrophe 1
pyPgSql there is already a transaction in progres 3

Members online

Total: 60 (members: 1, guests: 59)
Robots: 399

Forum statistics

Threads
473,982
Messages
2,570,190
Members
46,740
Latest member
AdolphBig6

Latest Threads

Top