新观看者注意:这个问题已被回答
如果我在python中有一个长的SQL语句多次引用一个字符串,我该如何更改SQL语句,以便它引用一个等于该字符串的变量呢?
在程序中,不会预定义用户的输入。因此,当他们将关键字放入文本框并单击"搜索"时,他们的输入将存储为字符串,作为名为" userinput"的变量。我需要使用变量" userinput"在SQL命令中。到目前为止,如果我实际输入用户输入,我只能使SQL命令工作。
我在一个单独的小程序中试用它:
import sqlite3
conn = sqlite3.connect(':memory:')
cursor = conn.cursor()
cursor.execute("""CREATE TABLE testtable (
label char,
format char,
catnum char,
sidecat char,
year char,
artist char,
relname char,
trackname char,
composer char,
collection int
)""")
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("GBI", "LP", "104", "104 (B)", "1974", "The Mustangs", "On Tha Rocks", "Someday We'll Be Together", "Unknown", 1)''')
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("GBI", "Single", "235", "235 (B)", "1978", "Willpower", "Love Makes It Alright", "The Mail", "Eddie Minnis", 1)''')
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("PENN", "LP", "002", "002 (B)", "1972", "Frank Penn", "'72", "The Time For Loving Is Now", "Frank Penn", 1)''')
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("PENN's", "Single", "111", "A-111", "Unknown", "Jay Mitchell", "Nitty Gritty Song", "Nitty Gritty Song", "Jay Mitchell", 0)''')
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("PENN's", "Single", "111", "A-111", "Unknown", "Jay Mitchell", "Nitty Gritty Song", "Unhappy People", "Jay Mitchell", 0)''')
conn.commit()
cursor.execute('''INSERT INTO testtable VALUES ("PENN's", "Single", "7744-7745", "7744 (A)", "Unknown", "Wendell Stuart", "I Am Who I Am", "I Am Who I Am", "Frank Penn", 1)''')
conn.commit()
userinput = 'penn'
cursor.execute("""select distinct label,format,year,catnum,artist,relname from testtable where artist like '%penn' or artist like '%penn%' or artist like 'penn%' order by year, label, catnum, year, format, artist asc""")
print(cursor.fetchall())
conn.close()
以上作品......因为我实际上写出了用户的输入,(" penn")。我知道它有效,因为输出是:
[('PENN', 'LP', '1972', '002', 'Frank Penn', "'72")]
如何在底部更改SQL语句,以便它只使用变量" userinput",同时具有相同的功能?
如果我只是用变量" userinput"替换用户输入,就像这样:
cursor.execute("""select distinct label,format,year,catnum,artist,relname from testtable where artist like '%userinput' or artist like '%userinput%' or artist like 'userinput%' order by year, label, catnum, year, format, artist asc""")
然后搜索结果为[],因为它假定我正在寻找字符串的实例" userinput"在数据库中,而不是将其视为包含字符串的变量。因此一无所获。
编辑:用户提供的解决方案" SatanDmytro"和#34; Shiprex"都工作
答案 0 :(得分:0)
在执行之前定义语句:
statement="select distinct label,format,year,catnum,artist,relname from testtable where artist like %s or artist like %s or artist like %s order by year, label, catnum, year, format, artist asc" % (userinput,userinput,userinput)
然后执行:
cursor.execute(statement)
答案 1 :(得分:0)
请注意,任何时候使用python字符串格式化方法(例如%s," {}" .format())在其他一些答案中建议直接在您的SQL查询中你正在打开sql注入。见this
相反,您将要使用parameter options可用,并写更多这样的内容:
#format the userinput for the wildcards first - still in your python environment
search = ("%{}%".format(userinput), )
#pass as parameter to the cursor
cursor.execute("""
select distinct label,format,year,catnum,artist,relname
from testtable
where artist like ?
order by year, label, catnum, year, format, artist asc
""", search)
这样,在数据库调用时对输入进行了一定程度的清理。
答案 2 :(得分:-1)
尝试:
cursor.execute("""
select distinct label,format,year,catnum,artist,relname
from testtable
where artist like '%%{userinput}%%'
order by year, label, catnum, year, format, artist asc
""".format(userinput=userinput))