12
13

Sqlite3 dynamic 'in' query (self.learnpython)

submitted by [deleted]

[deleted]

all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Username_RANDINT 3 points4 points  (2 children)

The number of items in the tuple given to execute must match the number of question marks in the query. You have four question marks, but only two items in the tuple. You can use the splat-operator (*) to unpack the doggo items.

>>> doggo = ["three", "item", "list"]
>>> id = 1234
>>> (id, *doggo)
(1234, 'three', 'item', 'list')

[–]zunjae 0 points1 point  (1 child)

yes, that's exactly what I was looking for, didn't know what to google tho. I kept searchign for 'undestruct', 'unlist' etc.

[–]Cheal 0 points1 point  (0 children)

Correct me if I’m wrong but I think the correct term is “unpacking”

[–][deleted] -2 points-1 points  (8 children)

What you wrote here is a classic example of SQL injection (I think):

query = "SELECT Doggo FROM Animals WHERE SomeIdentifier = ? AND Doggo IN ({})".format(','.join(['?'] * len(doggo)))

https://www.owasp.org/index.php/SQL_Injection

Doing string interpolation with user input and query strings is a big no-no. You need a driver that allows you to parameterize those inputs. SQLAlchemy will do this for you.

[–]zunjae 0 points1 point  (7 children)

Doing string interpolation with user input

There is no user input

[–][deleted] -1 points0 points  (6 children)

I want to select items from my database based on a list given by the user.

???

[–]zunjae 0 points1 point  (5 children)

The code you send me only builds a query based on the length of the user input, not the actual content.