[DB-SIG] comparing with lists via cx_Oracle

M.-A. Lemburg mal at egenix.com
Wed Jan 10 00:30:10 CET 2007 

On 2007-01-09 21:03, Harald Armin Massa wrote:
>> If the problem is not the parameter style, it may be the
>> sequence --> string conversion. In this case, use can use
>>          ",".join([1,2,3,4,5])
>> instead of "[1,2,3,4,5]".
> 
> There MUST NOT be a conversion to a string.
> 
> It has to be a "sequence" or whatever that would be within Oracles SQL.

The standard SQL notation for value lists in SQL is

	x in (value1, value2, ...)

so this should work pretty much with every SQL database.

If you have numbers as sequence elements, the Python tuple
representation works just fine. For strings, things are harder,
but then I wouldn't recommend using IN predicates with strings
anyway - it's better to map the strings to integers via an
extra table (if possible).

Note that you can also write:

	(x == value1) or (x == value2) ...

and then the valueN references using binding parameters.
That way you avoid having to deal with escaping - you still
have to construct the SQL depending on the number of values
you have.

If you have lots of sequence members, it's probably easier
to create a temporary table, fill it with the sequence members
using INSERT and then do a sub-select:

	select y from z where x in (select value from temptable)

If you have string members in your sequence, there's also
another method you could try: several databases have functions
for doing substring-search. All you'd have to do is join all
the members using e.g. ',' (provided none of the members
has this character) and the do something like:

	select y from z where index(values, ',' & x & ',') > 0

You can then replace values with a binding parameter to
avoid the escaping.

> Just imagine not having numeric IDs, but Strings:
> 
> ["isK9","kloN","kJni"]
> 
> as ID.
> 
> I went down that ", ".join(whatever) way; even to the ", ".join("'%s'"
> % (a,) for a in sequence)
> 
> way (those many "' are single quotes quoted with double quotes), and it works.
> 
> BUT ... it forces me to construct the SQL query via Python String
> functions, and to do all the necessary escaping of parameters in
> Python. That is considered BAD, because then I have to deal with all
> the escaping challenges - that's the entrence door of most PHP
> vulnerabilities.

It's not all that bad if you know which backend you're dealing
with :-)

The SQL injection in PHP often has to do with MySQL being
used as backend which supports a gazillion and one ways to do
escaping. This makes it hard to write a catch-all escaping function.

> Parameters should be escaped via the database adapter. .... So I am
> looking for the way to pass sequence parameters into Oracles throat :)

See above: there are other ways this can be done using
portable SQL.

BTW, sequences in DB-talk are objects which you can use as
auto-increment integer source, e.g. for creating ids of
new rows.

Hope this helps,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 09 2007)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,FreeBSD for free ! ::::

More information about the DB-SIG mailing list