MySQL problem

[Lad]

I have the following
program( only insert a record)
################
import MySQLdb
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

#MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(111)
""")
#################
It works. But If I change the program like the following ( only use a
variable MyValue in INSERT statement it does not work.
##########THIS DOES NOT WORK########
import MySQLdb,re,string
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(MyValue)
""")
#################
Program says
OperationalError: (1054, "Unknown column 'MyValue' in 'field list'")
Where is a problem. Thanks for help
Lad.

 

[wes weston]

I have the following
program( only insert a record)
################
import MySQLdb
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

#MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(111)
""")
#################
It works. But If I change the program like the following ( only use a
variable MyValue in INSERT statement it does not work.
##########THIS DOES NOT WORK########
import MySQLdb,re,string
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(MyValue)
""")
#################
Program says
OperationalError: (1054, "Unknown column 'MyValue' in 'field list'")
Where is a problem. Thanks for help
Lad.

Lad,
Try

str = "INSERT INTO produkt1 (MyNumber) VALUES(%d)" % (MyNumber)
cursor.execute(str)

wes

 

[Dennis Lee Bieber]

str = "INSERT INTO produkt1 (MyNumber) VALUES(%d)" % (MyNumber)
cursor.execute(str)

Think you meant "MyValue" for the second item... However...

Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))

--

 

[wes weston]

Think you meant "MyValue" for the second item... However...

Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))

Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.
wes

 

[Kent Johnson]

Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.

It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.

Kent

 

[Dennis Lee Bieber]

Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.

A more critical reason is the module itself can handle the
quoting and escaping needed for the odder data types. Consider what
happens if:

avalue = '''"This is a 'string' with both types of 'quotes'"'''
(that is 3*', ", 'x', 'x', ", 3*')

and you use the % operator on

sql = "insert into atable (afield) values (%s)" % avalue

<print sql>

insert into atable (afield) values ("This is a 'string' with both types
of 'quotes'")

The " are taken by MySQL as the delimiters of the string value, not part
of the string data.

But if you use:

sql = "insert into atable (afield) values ('%s')" % avalue

you get

insert into atable (afield) values ('"This is a 'string' with both types
of 'quotes'"')

Note that MySQL will complain at 'string, as the ' closes the string
"This is a

Letting .execute(template, (values)) do the substitution will generate
the proper (without, I believe, having to put quotes around the %s):

insert into atable (afield) values ('"This is a \'string\' with both
types of \'quotes\'"')

or, if .execute() defaults to using " instead of '

insert into atable (afield) values ("\"This is a 'string' with both
types of 'quotes'\"")


Their is also, as I recall, an .executemany() that some RDBMs
support. For these, you MUST let the module do the substitution:

c.executemany(template,
((record1 values),
(record2 values), ...,
(record-n values)) )

--