在PostgreSQL上使用LIKE的Django原始SQL查询

时间:2012-12-18 19:31:23

标签: django postgresql psycopg2 sql-like

我正在尝试使用带有Psycopg2驱动程序的PostgreSQL数据库中的LIKE在Django中进行Raw SELECT。

我已经测试了我在网上发现的内容,但没有任何效果。

情况如下。我需要像这样执行SELECT:

select distinct on (name, adm1.name, adm2.name_local)
gn.geonameid,
case when altnm.iso_language = 'pt' then altnm.alternate_name else gn.name end as name,
adm1.name as zona,
adm2.name_local as municipio
from location_geonameslocal gn
join location_geonameszone adm1 on adm1.code = gn.country || '.' || gn.admin1
join location_geonamesmunicipality adm2 on adm2.code = gn.country || '.' || gn.admin1 || '.' || gn.admin2
left join location_geonamesalternatenames altnm on altnm.geonameid = gn.geonameid
where
(gn.fclass = 'P' or gn.fclass = 'A')
and (altnm.iso_language = 'pt' or altnm.iso_language = 'link' or altnm.iso_language is null or altnm.iso_language = '')
and gn.country = 'PT'
and (gn.name like '%Lisboa%' or altnm.alternate_name like '%Lisboa%')
order by name, adm1.name, adm2.name_local;

SELECT的重要/问题部分就是这个:

and (gn.name like '%Lisboa%' or altnm.alternate_name like '%Lisboa%')

我写了一个简单的视图来测试SELECT,它看起来像这样:

def get_citiesjson_view(request):
    word = "Lisboa"
    term   = "%" + word + "%"

    cursor = connection.cursor()
    cursor.execute("select distinct on (name, adm1.name, adm2.name_local)\
          gn.geonameid,\
          case when altnm.iso_language = 'pt' then altnm.alternate_name else gn.name end as name,\
          adm1.name as zona,\
          adm2.name_local as municipio\
          from location_geonameslocal gn\
          join location_geonameszone adm1 on adm1.code = gn.country || '.' || gn.admin1\
          join location_geonamesmunicipality adm2 on adm2.code = gn.country || '.' || gn.admin1 || '.' || gn.admin2\
          left join location_geonamesalternatenames altnm on altnm.geonameid = gn.geonameid\
          where\
          (gn.fclass = 'P' or gn.fclass = 'A')\
          and (altnm.iso_language = 'pt' or altnm.iso_language = 'link' or altnm.iso_language is null or altnm.iso_language = '')\
          and gn.country = 'PT'\
          and (gn.name like %s or altnm.alternate_name like %s)\
          order by name, adm1.name, adm2.name_local;", [term, term])

    data = cursor.fetchone()

    mimetype = 'application/json'
    return HttpResponse(data, mimetype)

不幸的是,这不起作用,我找不到让它工作的方法。一些线索?

更新:此表单实际上正在运行:

cursor.execute("... and (gn.name like %s or altnm.alternate_name like %s)... ",  ['%'+term+'%', '%'+term+'%'])

2 个答案:

答案 0 :(得分:2)

此表格实际上正在运作:

cursor.execute("... and (gn.name like %s or altnm.alternate_name like %s)... ",  ['%'+term+'%', '%'+term+'%'])

答案 1 :(得分:0)

您不应该使用默认的 Python 格式来构造带参数的 SQL 查询,要使用原始 SQL LIKE 子句,您可以执行以下操作:

sql = 'SELECT id FROM table WHERE 1 = 1'
params = []

if 'descricao' in args.keys():  # your validation
    # build sql query and params correctly
    sql += ' AND descricao LIKE %s'
    params.append('%'+args['descricao']+'%')


with connections['default'].cursor() as cursor:
    cursor.execute(sql, params)

这样你就可以安全地抵御 SQL 注入漏洞

相关问题
最新问题