2

I've been writing code recently in python that works with postgreSQL databases, and it looks like the following:

def insert(table, ID, date, timestamp):
    cur.execute("""INSERT INTO %s (ID, date, timest)
                   VALUES (%s, %s, %s);""", 
                   (AsIs(table), ID, AsIs(date), AsIs(timestamp)))

This seems to work fine for postgreSQL, but when I try the same thing on a mySQL server, it doesn't work. Does anybody have an idea as to why? I think it might have to do with the %s characters, as it works if I hardcode in the values for table, ID, date, and timestamp.

In addition, it gives me the following error:

_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''master'' at line 2")

'master' is the name of the table I used as a variable, and I also noticed that there were two single quotes around master (like so: ' 'master' '), where there should only be one. So this might be a problem too?

Anyways, thanks for the help!

Improve this question
11
  • Can you create the string before giving the execute command? Commented Jul 24, 2014 at 23:53
  • @TheSoundDefense how would I do that? Commented Jul 24, 2014 at 23:55
  • query_str = "INSERT INTO %s (ID, date, timest) VALUES (%s, %s, %s);" % (str(table), str(ID), str(date), str(timestamp)) followed by cur.execute(query_str). I dunno if this will work, I haven't used Python's SQL libraries. Commented Jul 24, 2014 at 23:57
  • 4
    @TheSoundDefense -- That's vulnerable to SQL injection. Commented Jul 24, 2014 at 23:58
  • 1
    AsIS is a psycopg2 adapter. What driver are you using for MySQL? Commented Jul 25, 2014 at 0:01

3 Answers 3

Reset to default
2

This doesn't work fine in PostgreSQL either. The table name should not be parametrized.

cur.execute("""INSERT INTO table_name_here (ID, date, timest) ...

For string concatenation: Postgres uses SQL-standard double quotes (not two single quotes!): "master", which does not work in default MySQL. Would have to be `master` - or just master to work in both.

Or activate a setting for some SQL-compliance in MySQL:

SET sql_mode = 'ANSI';
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can use format function:

sql = "INSERT INTO {0} (ID, date, timest) VALUES (%s, %s, %s);".format(table_name)
cursor.execute(sql, (ID, date, time_stamp))
Improve this answer

Comments

-3

Actually, I was able to figure out the answer to my question. Simply using a % instead of the , notation fixed my problem.

Original code:

cur.execute("""INSERT INTO %s (ID, date, timest)
               VALUES (%s, %s, %s);""", 
               (AsIs(table), ID, AsIs(date), AsIs(timestamp)))

Fixed code:

cur.execute("""INSERT INTO %s (ID, date, timest)
               VALUES (%s, %s, %s);""" %
               (AsIs(table), ID, AsIs(date), AsIs(timestamp)))
Improve this answer

5 Comments

NO NO NO. Please don't do that because it's a horribly insecure SQL injection.
@KirkStrauser I realize it is prone to SQL injection, but it is merely a test script that I will be running for a known set of tables for my own use.
There's no such thing as an unloaded gun or a secured query. Both should be treated as highly dangerous and likely to explode at any moment. Doing things the right way is exactly as easy as doing them the wrong way, so it's better to get in the habit of doing it right every single time.
@KirkStrauser but it seems the way of doing it "right" is to manually hard code each of my table names, which would have been pretty inefficient given the way my code operates. This is a viable shortcut that meets the conditions that I need.
At the very least, you could write "INSERT INTO %s (var, var) VALUES (%%s, %%s)" % table_name so that the table name is injected into the string but that the values still go through safe escaping.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.