How Can I Correctly Format Python Strings for SQL LIKE Queries with Wildcards?-Mysql Tutorial-php.cn

How Can I Correctly Format Python Strings for SQL LIKE Queries with Wildcards?

Barbara Streisand

Release： 2024-12-19 21:32:13

Original

439 people have browsed it

How Can I Correctly Format Python Strings for SQL LIKE Queries with Wildcards?

Python's String Formatting with SQL Wildcards and LIKE

Encountering difficulties while integrating SQL statements with wildcards into your Python code? This article will provide a solution to the common challenges faced when formatting Python strings for queries involving the LIKE keyword and wildcards.

Problem:

Using the LIKE keyword with wildcards in an SQL statement using MySQLdb in Python proves problematic. Various attempts to format the string using Python's format method result in errors from either Python's value validation or MySQLdb's query execution.

Incorrect Attempts:

# Attempt 1: Value error due to unsupported escape sequence
"SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN\
  tag ON user.id = tag.userId WHERE user.username LIKE '%%s%'" % (query)

# Attempt 2: Returns same error as Attempt 1
"SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN\
  tag ON user.id = tag.userId WHERE user.username LIKE '\%%s\%'" % (query)

# Attempt 3: Error from MySQLdb due to insufficient arguments in format string
like = "LIKE '%" + str(query) + "%'"
totalq = "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN\
  tag ON user.id = tag.userId WHERE user.username " + like

# Attempt 4: Returns same error as Attempt 3
like = "LIKE '\%" + str(query) + "\%'"
totalq = "SELECT tag.userId, count(user.id) as totalRows FROM user INNER JOIN\
  tag ON user.id = tag.userId WHERE user.username " + like

Copy after login

Solution:

To address these formatting issues and ensure the SQL statement executes correctly, employ the following approach:

curs.execute("""SELECT tag.userId, count(user.id) as totalRows 
                  FROM user 
            INNER JOIN tag ON user.id = tag.userId 
                 WHERE user.username LIKE %s""", ('%' + query + '%',))

Copy after login

In this example, two arguments are passed to the execute() method. The first argument is a formatted SQL string with a placeholder for the wildcard expression. The second argument is a tuple containing the wildcard expression prefixed and suffixed with a percent sign. This ensures that the wildcard is applied at both ends of the search string.

By utilizing this method, you eliminate the risk of SQL injection attacks and ensure that the query executes without any formatting errors.

The above is the detailed content of How Can I Correctly Format Python Strings for SQL LIKE Queries with Wildcards?. For more information, please follow other related articles on the PHP Chinese website!