10

With Python's DB API spec you can pass an argument of parameters to the execute() method. Part of my statement is a WHERE IN clause and I've been using a tuple to populate the IN. For example:

params = ((3, 2, 1), )
stmt = "SELECT * FROM table WHERE id IN %s"
db.execute(stmt, params)

But when I run into a situation where the parameter tuple is only a tuple of 1 item, the execute fails.

ProgrammingError: ERROR: syntax error at or near ")"
LINE 13: WHERE id IN (3,)

How can I get the tuple to work with clause properly?

Improve this question

6 Answers 6

Reset to default
13

Edit: If you think this answer circumvents the built-in protections against SQL-injection attack you're mistaken; look more closely.

Testing with pg8000 (a DB-API 2.0 compatible Pure-Python interface to the PostgreSQL database engine):

This is the recommended way to pass multiple parameters to an "IN" clause.

params = [3,2,1]
stmt = 'SELECT * FROM table WHERE id IN (%s)' % ','.join('%s' for i in params)
cursor.execute(stmt, params)

Full example:

>>> from pg8000 import DBAPI
>>> conn = DBAPI.connect(user="a", database="d", host="localhost", password="p")
>>> c = conn.cursor()
>>> prms = [1,2,3]
>>> stmt = 'SELECT * FROM table WHERE id IN (%s)' % ','.join('%s' for i in prms)
>>> c.execute(stmt,prms)
>>> c.fetchall()
((1, u'myitem1'), (2, u'myitem2'), (3, u'myitem3'))
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Correct me if I'm wrong, but doesn't your example only pass the first item only to the IN sub-clause? > SELECT * FROM table WHERE id IN (3)
This answer is dangerously wrong! Substituting parameters yourself in Python code, instead of letting the database driver do it, is a security hole called "SQL injection". Imagine if one of the items in the list were the string "); DROP TABLE table; --".
Protection from SQL injections isn't something you should add on to code that allows SQL injections. You will rarely get it right. Instead, you should not write the code that allows SQL injections.
@rspeer: This isn't substituting parameters in Python code, it's generating placeholders in Python code and then letting the DB-API do the substitution into those placeholders.
It might be a little less easy to misunderstand without the comprehension: ['%s'] * len(params).
|
1

The error is coming from the comma after the 3. Just leave it off for the single values and you're set.

params = ((3), ... )
stmt = "SELECT * FROM table WHERE id IN %s"
db.execute(stmt, params)
Improve this answer

3 Comments

Yeah I know why the error happened, but I'm not building the tuple. The tuple is populated by another SQL result. So in passing, the single item tuple retains a hanging comma.
I also wanted to point out that a single item tuple must have a trailing comma.
Ah, I misunderstood. Well in that case you could use len() to get the length of the tuple and if its one the use tuple[0] to extract the value without the comma.
1

This may not be an answer to exactly the question you asked, but I think it may solve the problem you have.

Python's DB-API doesn't seem to give you a way to pass tuples as safely substituted parameters. The accepted answer from bernie is using the Python % operator for substitution, which is unsafe.

However, you may not have to pass tuples as parameters, particularly when the tuple you want is the result of another SQL query (as you indicated to Daniel). Instead, you can use SQL subqueries.

If the set of IDs you want in your IN clause is the result of SELECT id FROM other_table WHERE use=true, for example:

stmt = "SELECT * FROM table WHERE id IN (SELECT id FROM other_table WHERE use=true)"
db.execute(stmt)

And this can be parameterized (the safe way), too. If the IDs you want to select are the ones with a given parent_id:

stmt = "SELECT * FROM table WHERE id IN (SELECT id FROM other_table WHERE parent_id=%s)"
params = (parent_id,)
db.execute(stmt, params)
Improve this answer

Comments

1

As the question said, the following will fail:

params = ((3, 2, 1), )
stmt = "SELECT * FROM table WHERE id IN %s"
db.execute(stmt, params)

Following the pg8000 docs the IN can be replaced with an ANY() to give the same result:

params = ((3, 2, 1), )
stmt = "SELECT * FROM table WHERE id = ANY(%s)"
db.execute(stmt, params)

This sends the query and parameters separately to the server, avoiding SQL injection attacks.

Improve this answer

Comments

0

A solution with f-string.

params = [...]
stmt = f"SELECT * FROM table WHERE id IN ({','.join(['%s']*len(params ),)})"
db.execute(stmt, params)

If there is another param placeholder it will be like this

age = 18
params = [...]
stmt = f"SELECT * FROM table WHERE age>%s AND id IN ({','.join(['%s']*len(params ),)})"
db.execute(stmt, tuple([age] + params))
Improve this answer

Comments

-1

The accepted answer risks SQL injection; you should never ever pass user input directly to the database. Instead, generate a query with the correct number of placeholders, then let pg8000 do the escaping:

params = [3,2,1]
# SELECT * from table where id in (%s,%s,%s)
stmt = 'SELECT * FROM table WHERE id IN ({})'.format(','.join(['%s']*len(params)))
cursor.execute(stmt, tuple(params))
Improve this answer

2 Comments

Isn't this the same as what the accepted answer does? It is also generating a query with the right number of placeholders, not substituting the params directly into the query string.
For params = [3] you will get the SQL syntax error "IN(3,)"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.