3

I am trying to query a mysql db from python but having troubles generating the query ebcasue of the wildcard % and python's %s. As a solution I find using ?, but when I run the following, 

query = '''select * from db where name like'Al%' and date = '%s' ''', myDateString

I get an error

cursor.execute(s %'2015_05_21')

ValueError: unsupported format character ''' (0x27) at index 36 (the position of %)

How can i combine python 2.7 string bulding and sql wildcards? (The actual query is a lot longer and involves more variables)

Improve this question
2
  • Possibly unrelated, but you'll typically need to use LIKE (not =) to use a wildcard like 'Al%' Commented May 27, 2014 at 4:50
  • thanks Stuart. Type - edited now Commented May 27, 2014 at 4:53

4 Answers 4

Reset to default
2

First of all, you need to escape the percent sign near the Al:

'''select * from db where name like 'Al%%' and date = '%s''''

Also, follow the best practices and pass the query parameters in the second argument to execute(). This way your query parameters would be escaped and you would avoid sql injections:

query = """select * from db where name like 'Al%%' and date = %s"""
cursor.execute(query, ('2015_05_21', ))
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks, that works for the example. in my query, I need to combine wildcard and string building like select * from table where name like 'A%% %s' and date = %s. seems like sql does not like having %s within quotation marks. How can i work around that?
@chrise in that case you can use format() with MySQLdb.escape_string, e.g. query = """select * from db where name like 'Al%% {0}' and date = %s""".format(MySQLdb.escape_string(param)).
1

Two things:

  1. Don't use string formatting ('%s' % some_var) in SQL queries. Instead, pass the string as a sequence (like a list or a tuple) to the execute method.

  2. You can escape your % so Python will not expect a format specifier:

    q = 'SELECT foo FROM bar WHERE zoo LIKE 'abc%%' and id = %s'
cursor.execute(q, (some_var,))
Improve this answer

Comments

0

Use the format syntax for Python string building, and %s for SQL interpolation. That way they don't conflict with each other.

Improve this answer

Comments

0

You are not using the ? correctly.

Here's an example: command = '''SELECT M.name, M.year FROM Movie M, Person P, Director D WHERE M.id = D.movie_id AND P.id = D.director_id AND P.name = ? AND M.year BETWEEN ? AND ?;'''

*Execute the command, replacing the placeholders with the values of the variables in the list [dirName, start, end]. *

cursor.execute(command, [dirName, start, end])

So, you want to try:

cursor.execute(query,'2015_05_21')

Improve this answer

1 Comment

Did you actually try this code? It won't work. .execute expects a sequence, and you are passing it a string.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.