Search code examples
pythonsqlpython-2.7sybase

Python and Prepared SQL Statements using Variables


I'm fairly new to Python but have a project I am working on so please excuse any nativity on my part. I am writing some SQL statements in Python 2.7 (Libraries not upgraded to 3 yet) but I am getting stuck on best practice procedure for them. We are using Sybase. Initially I was using

query = "UPDATE DB..TABLE SET version = '{}' WHERE name = '{}'".format(app.version, app.name)
cursor.execute(query)

But realised this after further reading that it is open to injection. So I then looked at doing the following:

query = "UPDATE DB..TABLE SET version = '%s' WHERE name = '%s'" % (app.version, app.name)
cursor.execute(query)

But got me to thinking is this not the same thing?

The parameters are also variables set by argparse, which means I have to use the '' around %s otherwise it throws up the invalid column name error. Which is frustrating for me as I also want to be able to pass NULL (None in Python) by default if any additional flags aren't set in other queries, otherwise it obviously inserts "NULL" as string.

For this particular example the 2 variables are set from a file being read by ConfigParser but I think it's still the same for argparse variables. e.g.

[SECTION]
application=name
version=1.0

I'm not quite sure how to best tackle this issue and yes yes I know "PYTHON 3 IS BETTER UPGRADE TO IT", as I said at the start, the libraries are in the process of being ported.

If you need any additional info then please advise and I will give you the best I can.

UPDATE*** Using the following Param style string I found in some sybase docs it can work but it does not pass None for NULL and throws up errors, starting to think this is a limitation of the sybase module in python.

cursor.execute("SELECT * FROM DB..table where app_name=@app_name", {"@app_name": app_name})
or
params = {"@appname": app.name. "@appver": app.version}
sql = "INSERT INTO DB..table (app_name, app_version) VALUES (@appname, @appversion)
cursor.execute(sql, params)

There is an issue though if you have a global list of params and feed that to a query that if any are None then it gives you a lot of errors again about being None, EVEN if those specific params aren't used in the query. Think I may be stuck doing IF statements for various options here for multiple inserts to bypass this None NULL issue.


Solution

  • Ok I have resolved this issue now. I had to update the sybase module in order to get it to work with None > NULL.

    As posted in the updated question. the below is how I was running the queries.

    cursor.execute("SELECT * FROM DB..table where app_name=@app_name", {"@app_name": app_name})
    or
    params = {"@appname": app.name. "@appver": app.version}
    sql = "INSERT INTO DB..table (app_name, app_version) VALUES (@appname, @appversion)
    cursor.execute(sql, params)