By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,345 Members | 1,790 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,345 IT Pros & Developers. It's quick & easy.

MySQL problem

P: n/a
Lad
I have the following
program( only insert a record)
################
import MySQLdb
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

#MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(111)
""")
#################
It works. But If I change the program like the following ( only use a
variable MyValue in INSERT statement it does not work.
##########THIS DOES NOT WORK########
import MySQLdb,re,string
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(MyValue)
""")
#################
Program says
OperationalError: (1054, "Unknown column 'MyValue' in 'field list'")
Where is a problem. Thanks for help
Lad.

Jul 18 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Lad wrote:
I have the following
program( only insert a record)
################
import MySQLdb
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

#MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(111)
""")
#################
It works. But If I change the program like the following ( only use a
variable MyValue in INSERT statement it does not work.
##########THIS DOES NOT WORK########
import MySQLdb,re,string
conn = MySQLdb.connect (host = "localhost",user = "", passwd =
"",db="dilynamobily")
cursor = conn.cursor ()
cursor.execute("""CREATE TABLE produkt1 (
id int(10) unsigned NOT NULL auto_increment,
MyNumber varchar(30) NOT NULL default '',
PRIMARY KEY (id))
""")

MyValue=111
cursor.execute ("""INSERT INTO produkt1
(MyNumber)
VALUES(MyValue)
""")
#################
Program says
OperationalError: (1054, "Unknown column 'MyValue' in 'field list'")
Where is a problem. Thanks for help
Lad.


Lad,
Try

str = "INSERT INTO produkt1 (MyNumber) VALUES(%d)" % (MyNumber)
cursor.execute(str)

wes

Jul 18 '05 #2

P: n/a
On Thu, 17 Mar 2005 16:45:57 GMT, wes weston <ww*****@att.net> declaimed
the following in comp.lang.python:

str = "INSERT INTO produkt1 (MyNumber) VALUES(%d)" % (MyNumber)
cursor.execute(str)
Think you meant "MyValue" for the second item... However...

Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))

-- ================================================== ============ <
wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
wu******@dm.net | Bestiaria Support Staff <
================================================== ============ <
Home Page: <http://www.dm.net/~wulfraed/> <
Overflow Page: <http://wlfraed.home.netcom.com/> <

Jul 18 '05 #3

P: n/a
Dennis Lee Bieber wrote:
On Thu, 17 Mar 2005 16:45:57 GMT, wes weston <ww*****@att.net> declaimed
the following in comp.lang.python:

str = "INSERT INTO produkt1 (MyNumber) VALUES(%d)" % (MyNumber)
cursor.execute(str)


Think you meant "MyValue" for the second item... However...

Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))


Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.
wes

Jul 18 '05 #4

P: n/a
wes weston wrote:
Dennis Lee Bieber wrote:
Try neither, the recommended method is to let the execute() do
the formatting... That way /it/ can apply the needed quoting of
arguments based upon the type of the data.

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue))


Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.


It may have efficiency advantages if the DB caches requests. But the main advantages are that
- it correctly escapes special chars such as "
- consequently it also protects against SQL injection attacks where MyValue might contain malicious SQL.

Kent
Jul 18 '05 #5

P: n/a
On Fri, 18 Mar 2005 16:22:37 GMT, wes weston <ww*****@att.net> declaimed
the following in comp.lang.python:
Dennis Lee Bieber wrote:

cursor.execute("insert into produkt1 (MyNumber) values (%d)", (MyValue)) I meant %s there, not %d
Dennis,
Do you know if this has some efficiency advantage
or is it just an agreed upon custom.


A more critical reason is the module itself can handle the
quoting and escaping needed for the odder data types. Consider what
happens if:

avalue = '''"This is a 'string' with both types of 'quotes'"'''
(that is 3*', ", 'x', 'x', ", 3*')

and you use the % operator on

sql = "insert into atable (afield) values (%s)" % avalue

<print sql>

insert into atable (afield) values ("This is a 'string' with both types
of 'quotes'")

The " are taken by MySQL as the delimiters of the string value, not part
of the string data.

But if you use:

sql = "insert into atable (afield) values ('%s')" % avalue

you get

insert into atable (afield) values ('"This is a 'string' with both types
of 'quotes'"')

Note that MySQL will complain at 'string, as the ' closes the string
"This is a

Letting .execute(template, (values)) do the substitution will generate
the proper (without, I believe, having to put quotes around the %s):

insert into atable (afield) values ('"This is a \'string\' with both
types of \'quotes\'"')

or, if .execute() defaults to using " instead of '

insert into atable (afield) values ("\"This is a 'string' with both
types of 'quotes'\"")
Their is also, as I recall, an .executemany() that some RDBMs
support. For these, you MUST let the module do the substitution:

c.executemany(template,
((record1 values),
(record2 values), ...,
(record-n values)) )

-- ================================================== ============ <
wl*****@ix.netcom.com | Wulfraed Dennis Lee Bieber KD6MOG <
wu******@dm.net | Bestiaria Support Staff <
================================================== ============ <
Home Page: <http://www.dm.net/~wulfraed/> <
Overflow Page: <http://wlfraed.home.netcom.com/> <

Jul 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.