SQL Variable Substitution Question

Paul Boddie paulb at infercor.no
Thu Jun 8 06:29:14 EDT 2000 

Tim Roberts wrote:
> 
> liang at cad.gatech.edu (Shengquan Liang) wrote:
> >
> >say i have yyyy = 1000
> >
> >in the documentation of DC Oracle, it says that
> >i shoul d use 'select * from attt'
> >               'where bbbb = :yyyy'
> >
> >to make it work.
> 
> No, SQL doesn't have any idea what your Python variables are.  To use the
> ":" feature, you have to have set an _SQL_ variable called "yyyy".  How you
> do that varies with the backend.

Guessing, with the help of the DB-API specification, I would try:

  cursor.execute('select * from attt where bbbb = :yyyy', {"yyyy" : yyyy})

Or:

  cursor.execute('select * from attt where bbbb = :yyyy', yyyy=yyyy)

See the specification at:

  http://www.python.org/topics/database/DatabaseAPI-2.0.html

> In your case, it's probably easier to build the complete string in Python
> and pass that to the database:
> 
>   'select * from attt where bbbb = %d' % yyyy

I would advise against this, and given the numerous recent occasions when such
advice has been given on comp.lang.python, I rather suspect that most Python
database application writers who make their opinions known either don't know
about bind variables or don't trust them. As for being easier, take a look at
this suggestion:

Scott Barron wrote:
> 
> Perhaps you are looking for something like this:
> 
> query_string = "SELECT AAA FROM BBB WHERE cc = %s"
> 
> then you could do:
> 
> query_function (query_string % `pp`)  # if pp is an integer type
> 
> or
> query_function (query_string % pp)   # if pp is a string type
> 
> or change %s to %d or whatever,  depending on what pp is.

Will the second case actually work? I don't see the % operator adding '
characters to make the query string correct, or dealing appropriately with '
characters inside any string literal. It seems easier to use bind variables, in
my opinion.

Tim Roberts wrote:
> 
> liang at cad.gatech.edu (Shengquan Liang) wrote:
> >
> >BUT, when i tried it this way, the
> >iDC oracle reponded by:
> >
> >  oci.err:(1008,'ORA-1008: not all variables bound\012')
> >
> >what's the problem with that?
> 
> You haven't bound the SQL variable yyyy to any value.  As I said, the
> method for doing that varies with the backend.

Indeed. If the above methods don't work, try using numeric variable names:

  cursor.execute('select * from attt where bbbb = :1', (yyyy,))

  cursor.execute('select * from attt where bbbb = :1 and cccc = :2',
    (yyyy, zzzz))

This definitely worked in previous Oracle modules. Note that a tuple must be
supplied as the second argument.

Paul

More information about the Python-list mailing list