7

How to pass variable parameters dynamically

order = 10100

status = 'Shipped'

df1 = pd.read_sql_query("SELECT  * from orders where orderNumber =""" +  
str(10100) + """ and status = """ + 'status' +"""  order by orderNumber """,cnx)

TypeError: must be str, not int

getting above error although i converted to strings any idea?

is there any alternative wy to pass the parameters?

Improve this question
3
  • Can you print orders.dtypes? Commented Feb 5, 2018 at 18:46
  • orderNumber int64 orderDate object requiredDate object shippedDate object status object comments object customerNumber int64 Commented Feb 5, 2018 at 18:51
  • Not sure then, try unutbu's answer below. Commented Feb 5, 2018 at 18:53

3 Answers 3

Reset to default
16

Use parametrized sql by supplying the arguments via the params keyword argument. The proper quotation of arguments will be done for you by the database adapter and the code will be less vulnerable to SQL injection attacks. (See Little Bobby Tables for an example of the kind of trouble improperly quoted, non-parametrized sql can get you into.)

order = 10100

status = 'Shipped'

sql = """SELECT  * from orders where orderNumber = ?
         and status = ? order by orderNumber"""
df1 = pd.read_sql_query(sql, cnx, params=[order, status])

The ?s in sql are parameter markers. They get replaced with properly quoted values from params. Note that the proper parameter marker depends on the database adapter you are using. For example, MySQLdb and psycopg2 uses %s, while sqlite3, and oursql uses ?.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

Thanks..i am working with Teradata will it work? is there any limit in the parameters pass in the query or we can pass multiple parameters?
I expect it should work though I'm not familiar with Teradata. The best way is to try and see.
Thanks will check on this tomorrow in office
so here we no need to specify whether its string or integer it will automatically picks based on the initialization?
The database adapter does the quoting for you, based on the value of the parameter and the table schema.
|
3 
IN MYSQL ::

order = 10100

status = 'Shipped'
sql = """SELECT  * from orders where orderNumber = %s
         and status = %s order by orderNumber"""
df1 = pd.read_sql_query(sql, cnx, params=[order, status])
Improve this answer

Comments

0

If you think of your query as a string, you can replace your variable with the actual value of that variable using string formatting first, and then use it in your SQL query.

order = 10100
status = 'Shipped'

query1 = "SELECT * FROM orders WHERE orderNumber = " + str(order) + " AND status = " + status + " ORDER BY orderNumber"

df1 = pandasql.sqldf(query1, locals())
Improve this answer

1 Comment

Thank you for contributing to the Stack Overflow community. This may be a correct answer, but it’d be really useful to provide additional explanation of your code so developers can understand your reasoning. This is especially useful for new developers who aren’t as familiar with the syntax or struggling to understand the concepts. Would you kindly edit your answer to include additional details for the benefit of the community?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.