Interpolate Python variables into SQL statements.
Project description
Safely and easily interpolate Python variables into SQL based upon context. Most of your interaction with this package will be through the SQLInterp class:
>>> from sql_interp import SQLInterp
>>> person = {'last_name': 'Doe'}
>>> criteria = {'first_name': ['Jane', 'John']}
# Create an instance of SQLInterp and use the interp method to get the SQL and bind
# variables ready to pass to your database cursor.
>>> sqli = SQLInterp()
>>> sqli.interp("UPDATE people SET", person, "WHERE", criteria)
('UPDATE people SET last_name = ? WHERE first_name IN (?, ?)', ('Doe', 'Jane', 'John'))
Caution
sql_interp works by assuming that any non-string variables passed to interp need to be treated as bind variables. This means that any arguments passed that are strings will be treated as raw SQL. If you are not careful, this could lead to a SQL injection attack. To avoid this, if there is any chance at all that a variable is a string, you must tell sql_interp that it is not raw SQL. You can do this with the esc method of the SQLInterp object.
Here is an example:
>>> sqli = SQLInterp()
>>> first_name = 'John'
# The following is wrong! This could lead to a SQL injection attack.
>>> sqli.interp("SELECT * FROM table WHERE first_name =", first_name)
('SELECT * FROM table WHERE first_name = John', ())
# This is the correct way.
>>> sqli.interp("SELECT * FROM table WHERE first_name =", sqli.esc(first_name))
('SELECT * FROM table WHERE first_name = ?', ('John',))
This does not apply if the string is a value in a list or dictionary as in the other examples in this documentation.
Examples
The SQLInterp object can handle interpolating many different types:
>>> age = 25
>>> first_names = ['Jenny', 'John', 'Jeremy']
>>> sqli.interp("UPDATE people SET age =", age, "WHERE first_names IN", first_names)
('UPDATE people SET age = ? WHERE first_names IN (?, ?, ?)', (25, 'Jenny', 'John', 'Jeremy'))
Interpolation is context sensitive, so the same type will be interpreted into SQL correctly for its usage:
>>> punk_rockers = {'hair': 'pink', 'tattoos': 'three'}
>>> accessories = {'piercings': 6, 'pants': 'vinyl'}
>>> sqli.interp("UPDATE people SET", accessories, "WHERE", punk_rockers)
('UPDATE people SET pants = ?, piercings = ? WHERE hair = ? AND tattoos = ?', ('vinyl', 6, 'pink', 'three'))
Acknowledgments
This project is an indirect port of Perl’s SQL::Interp.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file sql_interp-0.1.0.tar.gz.
File metadata
- Download URL: sql_interp-0.1.0.tar.gz
- Upload date:
- Size: 5.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
86f7a656d3024c9175ebb8426cb8eb9c927561a48776316672f8369a34e154e7
|
|
| MD5 |
9489cd96261ea3776cdb39d2e0fec7ff
|
|
| BLAKE2b-256 |
f1b5a292548130f0262a2ed981791655974ab150dea4610794b9f03ad0b9cf75
|
