Dynamically search for null in sqlite select query using python
I'm new to python and I want to do a similar query to this one:
_c.execute('select * from cases where bi = ? and age = ? and
shape = ? and margin = ? and density = ?',(obj['bi'],
obj['age'], obj['margin'], obj['density']))
When some of the parameters are None
, for example obj['bi'] = None
, the query searches for the row when bi = 'None'
. But I want it to search for the row when: 'bi is NULL'
A possible solution is to verify the values of the parameters one by one in a sequence of if-elses. For example:
query = 'select * from cases where'
if obj['bi'] is None:
query += ' bi is null'
else:
query += ' bi = ' + str(obj['bi']) + ' and '
...
# do the same if-else for the other parameters
...
_c.execute(query)
But, it doesn't seem to me as the best solution.
The question is, what is the best solution to the given problem and how to avoid SQL injections.
python sqlite sqlite3 null sql-injection
|
show 1 more comment
I'm new to python and I want to do a similar query to this one:
_c.execute('select * from cases where bi = ? and age = ? and
shape = ? and margin = ? and density = ?',(obj['bi'],
obj['age'], obj['margin'], obj['density']))
When some of the parameters are None
, for example obj['bi'] = None
, the query searches for the row when bi = 'None'
. But I want it to search for the row when: 'bi is NULL'
A possible solution is to verify the values of the parameters one by one in a sequence of if-elses. For example:
query = 'select * from cases where'
if obj['bi'] is None:
query += ' bi is null'
else:
query += ' bi = ' + str(obj['bi']) + ' and '
...
# do the same if-else for the other parameters
...
_c.execute(query)
But, it doesn't seem to me as the best solution.
The question is, what is the best solution to the given problem and how to avoid SQL injections.
python sqlite sqlite3 null sql-injection
2
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?
– Shawn
Nov 22 at 20:15
1
@Shawn What is?1
? I don't know this syntax
– roganjosh
Nov 22 at 20:16
1
It's the first bound parameter.?2
is the second, and so on. sqlite.org/lang_expr.html#varparam
– Shawn
Nov 22 at 20:20
1
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
1
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47
|
show 1 more comment
I'm new to python and I want to do a similar query to this one:
_c.execute('select * from cases where bi = ? and age = ? and
shape = ? and margin = ? and density = ?',(obj['bi'],
obj['age'], obj['margin'], obj['density']))
When some of the parameters are None
, for example obj['bi'] = None
, the query searches for the row when bi = 'None'
. But I want it to search for the row when: 'bi is NULL'
A possible solution is to verify the values of the parameters one by one in a sequence of if-elses. For example:
query = 'select * from cases where'
if obj['bi'] is None:
query += ' bi is null'
else:
query += ' bi = ' + str(obj['bi']) + ' and '
...
# do the same if-else for the other parameters
...
_c.execute(query)
But, it doesn't seem to me as the best solution.
The question is, what is the best solution to the given problem and how to avoid SQL injections.
python sqlite sqlite3 null sql-injection
I'm new to python and I want to do a similar query to this one:
_c.execute('select * from cases where bi = ? and age = ? and
shape = ? and margin = ? and density = ?',(obj['bi'],
obj['age'], obj['margin'], obj['density']))
When some of the parameters are None
, for example obj['bi'] = None
, the query searches for the row when bi = 'None'
. But I want it to search for the row when: 'bi is NULL'
A possible solution is to verify the values of the parameters one by one in a sequence of if-elses. For example:
query = 'select * from cases where'
if obj['bi'] is None:
query += ' bi is null'
else:
query += ' bi = ' + str(obj['bi']) + ' and '
...
# do the same if-else for the other parameters
...
_c.execute(query)
But, it doesn't seem to me as the best solution.
The question is, what is the best solution to the given problem and how to avoid SQL injections.
python sqlite sqlite3 null sql-injection
python sqlite sqlite3 null sql-injection
edited Nov 30 at 16:47
Brad Larson♦
161k40363541
161k40363541
asked Nov 22 at 20:05
Bentaiba Miled Basma
3401415
3401415
2
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?
– Shawn
Nov 22 at 20:15
1
@Shawn What is?1
? I don't know this syntax
– roganjosh
Nov 22 at 20:16
1
It's the first bound parameter.?2
is the second, and so on. sqlite.org/lang_expr.html#varparam
– Shawn
Nov 22 at 20:20
1
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
1
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47
|
show 1 more comment
2
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?
– Shawn
Nov 22 at 20:15
1
@Shawn What is?1
? I don't know this syntax
– roganjosh
Nov 22 at 20:16
1
It's the first bound parameter.?2
is the second, and so on. sqlite.org/lang_expr.html#varparam
– Shawn
Nov 22 at 20:20
1
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
1
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47
2
2
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?– Shawn
Nov 22 at 20:15
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?– Shawn
Nov 22 at 20:15
1
1
@Shawn What is
?1
? I don't know this syntax– roganjosh
Nov 22 at 20:16
@Shawn What is
?1
? I don't know this syntax– roganjosh
Nov 22 at 20:16
1
1
It's the first bound parameter.
?2
is the second, and so on. sqlite.org/lang_expr.html#varparam– Shawn
Nov 22 at 20:20
It's the first bound parameter.
?2
is the second, and so on. sqlite.org/lang_expr.html#varparam– Shawn
Nov 22 at 20:20
1
1
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
1
1
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47
|
show 1 more comment
1 Answer
1
active
oldest
votes
Okay, after firing up a python REPL and playing around with it a bit, it's simpler than I thought. The Python sqlite bindings turn a Python None
into a SQL NULL
, not into a string 'None'
like it sounded like from your question. In SQL, =
doesn't match NULL
values, but IS
will. So...
Given a table foo
looking like:
a | b
--------------
NULL | 1
Dog | 2
Doing:
c = conn.cursor()
c.execute('SELECT * FROM foo WHERE a IS ?', (None,))
print(c.fetchone())
will return the (NULL, 1)
row, and
c.execute('SELECT * FROM foo WHERE a IS ?', ('Dog',))
print(c.fetchone())
will return the ('Dog', 2)
row.
In other words, use IS
not =
in your query.
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437461%2fdynamically-search-for-null-in-sqlite-select-query-using-python%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Okay, after firing up a python REPL and playing around with it a bit, it's simpler than I thought. The Python sqlite bindings turn a Python None
into a SQL NULL
, not into a string 'None'
like it sounded like from your question. In SQL, =
doesn't match NULL
values, but IS
will. So...
Given a table foo
looking like:
a | b
--------------
NULL | 1
Dog | 2
Doing:
c = conn.cursor()
c.execute('SELECT * FROM foo WHERE a IS ?', (None,))
print(c.fetchone())
will return the (NULL, 1)
row, and
c.execute('SELECT * FROM foo WHERE a IS ?', ('Dog',))
print(c.fetchone())
will return the ('Dog', 2)
row.
In other words, use IS
not =
in your query.
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
add a comment |
Okay, after firing up a python REPL and playing around with it a bit, it's simpler than I thought. The Python sqlite bindings turn a Python None
into a SQL NULL
, not into a string 'None'
like it sounded like from your question. In SQL, =
doesn't match NULL
values, but IS
will. So...
Given a table foo
looking like:
a | b
--------------
NULL | 1
Dog | 2
Doing:
c = conn.cursor()
c.execute('SELECT * FROM foo WHERE a IS ?', (None,))
print(c.fetchone())
will return the (NULL, 1)
row, and
c.execute('SELECT * FROM foo WHERE a IS ?', ('Dog',))
print(c.fetchone())
will return the ('Dog', 2)
row.
In other words, use IS
not =
in your query.
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
add a comment |
Okay, after firing up a python REPL and playing around with it a bit, it's simpler than I thought. The Python sqlite bindings turn a Python None
into a SQL NULL
, not into a string 'None'
like it sounded like from your question. In SQL, =
doesn't match NULL
values, but IS
will. So...
Given a table foo
looking like:
a | b
--------------
NULL | 1
Dog | 2
Doing:
c = conn.cursor()
c.execute('SELECT * FROM foo WHERE a IS ?', (None,))
print(c.fetchone())
will return the (NULL, 1)
row, and
c.execute('SELECT * FROM foo WHERE a IS ?', ('Dog',))
print(c.fetchone())
will return the ('Dog', 2)
row.
In other words, use IS
not =
in your query.
Okay, after firing up a python REPL and playing around with it a bit, it's simpler than I thought. The Python sqlite bindings turn a Python None
into a SQL NULL
, not into a string 'None'
like it sounded like from your question. In SQL, =
doesn't match NULL
values, but IS
will. So...
Given a table foo
looking like:
a | b
--------------
NULL | 1
Dog | 2
Doing:
c = conn.cursor()
c.execute('SELECT * FROM foo WHERE a IS ?', (None,))
print(c.fetchone())
will return the (NULL, 1)
row, and
c.execute('SELECT * FROM foo WHERE a IS ?', ('Dog',))
print(c.fetchone())
will return the ('Dog', 2)
row.
In other words, use IS
not =
in your query.
answered Nov 22 at 21:10
Shawn
3,4531613
3,4531613
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
add a comment |
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
It worked! Thanks a lot
– Bentaiba Miled Basma
Nov 22 at 21:17
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437461%2fdynamically-search-for-null-in-sqlite-select-query-using-python%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
(CASE WHEN ?1 = 'None' THEN bi IS NULL ELSE bi = ?1 END) AND ...
?– Shawn
Nov 22 at 20:15
1
@Shawn What is
?1
? I don't know this syntax– roganjosh
Nov 22 at 20:16
1
It's the first bound parameter.
?2
is the second, and so on. sqlite.org/lang_expr.html#varparam– Shawn
Nov 22 at 20:20
1
@Shawn 3 years of using SQLite and never once encountered that. Thanks. I suggest you answer the question if you think you can solve the problem; it's not a trivial-answer-in-commments type of problem
– roganjosh
Nov 22 at 20:22
1
@Shawn could you please explain more your idea?
– Bentaiba Miled Basma
Nov 22 at 20:47