Ignoring the facet that the error message is from a SELECT
statement...
Hi..
I want to insert some data to postgresql..
My insert code:
yer="019"
cursor.execute("INSERT INTO ids_%s (id) VALUES (%s)", (yer, id))
I don't want to use % when the insert operation.
Place holders are used for DATA values. Your SQL, except for the
data values, SHOULD BE fixed. This means that table names, column names,
keywords/operators... can NOT be changed using parameterized queries.
Parameterized queries are used to ensure the data values are safely
delimited -- preventing injection of undesirable SQL.
If you have a database where TABLE names contain a year string (I'm
presuming from the "yer"), then you have a poor database schema. Instead
of multiple tables with identical definitions and differing only in the
table name, you should probably have ONE table (and one generic name)
and store the discriminant as another field. That is, instead of:
Table_123(ID, description, whatever)
Table_221(ID, description, whatever)
....
use:
TableSet(discriminant, ID, description, whatever)
And your insert becomes:
insert into TableSet (discriminant, ID) values (%s, %s)
If you MUST have dynamic table/column names, for safety they should
never be created directly from user input, but rather computed
internally from safe data.
Table_123(ID, description, whatever)
Table_221(ID, description, whatever)
....
Table_Names(suffix, tablename)
123, Table_123
221, Table_221
Then, if the suffix is user input, use something like:
select tablename from Table_Names where suffix = %s
taking the result and modifying the subsequent SQL using Python string
interpolation. This ensures that the parameter escaping of the user
input gives you a safe (eg, value retrieved from the database itself)
value that can be used to directly modify the SQL.
Note how the data placeholder had to be escaped (not needed for
database adapters that use ? as the placeholder)
--
Wulfraed Dennis Lee Bieber KD6MOG
(e-mail address removed) (e-mail address removed)
HTTP://wlfraed.home.netcom.com/
(Bestiaria Support Staff: (e-mail address removed))
HTTP://www.bestiaria.com/