On 06/06/2010 21:20, Dennis Lee Bieber wrote:
On Sun, 6 Jun 2010 11:07:25 -0400, Victor Subervi
<victorsube...@gmail.com> declaimed the following in
gmane.comp.python.general:
Hi;
I tried this:
cursor.execute('drop table tmp%s', tmpTable)
ONCE AGAIN...
Database SCHEMA entities must be formatted using the Python %
operator. AND they should never be obtained as input from a user.
DATA ITEMS obtained from anywhere need to use parameterized query
passing so that the DB-API can safely escape them, and in the case of
MySQLdb, put quote marks around them.
SCHEMA entities are: DATABASE name, TABLE name, COLUMN name (and if
you have them, TRIGGER, PROCEDURE, and VIEW names).
The statement you have is SCHEMA manipulation.
Print this out and tape it to your monitor. The next time you get
one of these "inexplicable" error messages, review the above statements
and compare to your query. I'm sure the answer will be obvious.
Do you have edit access to the MySQLdb files? If so, open
cursors.py, find the execute method, and put in a print statement. This
does also assume you are running locally (not via a web client) so that
the output can be seen on screen.
(Mine is located in E:\Python25\Lib\site-packages\MySQLdb\cursors.py)
Look for:
-=-=-=-=-
def execute(self, query, args=None):
"""Execute a query.
query -- string, query to execute on server
args -- optional sequence or mapping, parameters to use with
query.
Note: If args is a sequence, then %s must be used as the
parameter placeholder in the query. If a mapping is used,
%(key)s must be used as the placeholder.
Returns long integer rows affected, if any
"""
from types import ListType, TupleType
from sys import exc_info
del self.messages[:]
db = self._get_db()
charset = db.character_set_name()
if isinstance(query, unicode):
query = query.encode(charset)
if args is not None:
query = query % db.literal(args)
try:
r = self._query(query)
except TypeError, m:
if m.args[0] in ("not enough arguments for format string",
-=-=-=-=-
and change
if args is not None:
query = query % db.literal(args)
into
if args is not None:
query = query % db.literal(args)
print query
Notice how your use of % for testing does NOT generate the same code
-- MySQLdb invokes db.literal() to escape the arguments, but you are
doing just
query = query % (args)
cursor.execute('drop table tmp%s', tmpTable)
produces
drop table tmp'xyz'
NOT
drop table tmpxyz
Well put Sir. Can I suggest that the OPs continual requests for
assistance are simply not cricket? :) Yeah, I'm a Brit, and yeah, I'm
fed up with getting thrashed by the Aussies.
Kindest regards.
Mark Lawrence.
--
http://mail.python.org/mailman/listinfo/python-list