我正在使用pyodbc查询SQL Server数据库
import datetime
import pyodbc
conn = pyodbc.connect("Driver={SQL Server};Server='dbserver',Database='db',
TrustedConnection=Yes")
cursor = conn.cursor()
ratings = ("PG-13", "PG", "G")
st_dt = datetime(2010, 1, 1)
end_dt = datetime(2010, 12, 31)
cursor.execute("""Select title, director, producer From movies
Where rating In ? And release_dt Between ? And ?""",
ratings, str(st_dt), str(end_dt))
但我收到以下错误.元组参数是否需要以不同的方式处理?有没有更好的方法来构建此查询?
('42000', "[42000] [Microsoft][ODBC SQL Server Driver][SQL Server]Line 9:
Incorrect syntax near '@P1'. (170) (SQLExecDirectW);
[42000] [Microsoft][ODBC SQL Server Driver][SQL Server]
Statement(s) could not be prepared. (8180)")
更新:
我能够使用字符串格式化运算符使这个查询工作,这不是理想的,因为它引入了安全性问题.
import datetime
import pyodbc
conn = pyodbc.connect("Driver={SQL Server};Server='dbserver',Database='db',
TrustedConnection=Yes")
cursor = conn.cursor()
ratings = ("PG-13", "PG", "G")
st_dt = datetime(2010, 1, 1)
end_dt = datetime(2010, 12, 31)
cursor.execute("""Select title, director, producer From movies
Where rating In %s And release_dt Between '%s' And '%s'""" %
(ratings, st_dt, end_dt))
Lar*_*tig 13
您不能IN ()使用单个字符串参数在子句中参数化多个值.实现这一目标的唯一方法是:
字符串替换(正如您所做的那样).
在表单中构建参数化查询,IN (?, ?, . . ., ?)然后为每个占位符传递一个单独的参数.我不是Python到ODBC的专家,但我想这在Python这样的语言中特别容易.这样更安全,因为您可以获得参数化的全部价值.
geo*_*ika 13
为了扩展Larry的第二个选项 - 动态创建参数化字符串,我成功地使用了以下内容:
placeholders = ",".join("?" * len(code_list))
sql = "delete from dbo.Results where RESULT_ID = ? AND CODE IN (%s)" % placeholders
params = [result_id]
params.extend(code_list)
cursor.execute(sql, params)
使用适当的参数提供以下SQL:
delete from dbo.Results where RESULT_ID = ? AND CODE IN (?,?,?)