Python 如何在参数和值都是变量的情况下进行SQLite查询?
我试图让用户搜索一个SQL表,方法是首先输入要搜索的参数,然后输入要在该参数内搜索的值Python 如何在参数和值都是变量的情况下进行SQLite查询?,python,sql,sqlite,Python,Sql,Sqlite,我试图让用户搜索一个SQL表,方法是首先输入要搜索的参数,然后输入要在该参数内搜索的值 import sqlite3 conn = sqlite3.connect('[project directory]/db.sqlite3') c = conn.cursor() def search_entry(): '''Searches database based on user input, returns rows ''' # Search parameters di
import sqlite3
conn = sqlite3.connect('[project directory]/db.sqlite3')
c = conn.cursor()
def search_entry():
'''Searches database based on user input, returns rows
'''
# Search parameters dictionary
search_par = {
'1': 'id',
'2': 'date',
'3': 'account',
'4': 'trans_type',
'5': 'main_cat',
'6': 'sub_cat',
'7': 'name',
'8': 'amount',
'9': 'all',
}
print('\n')
for key in search_par:
print(key, ': ', search_par[key])
print('\n')
# Select parameter number to search by
while True:
try:
par_select = str(int(input('Select parameter number to search by: ')))
if (int(par_select) < 10 and int(par_select) > 0):
break
else:
pass
except:
pass
sel_par = search_par[par_select] # Select corresponding parameter
# Select value to search
while True:
try:
id_search = input('Select value to search: ')
break
except:
pass
c.execute('SELECT * FROM form_entry WHERE (?)=(?)', (sel_par, id_search,))
rows = c.fetchall()
for row in rows:
for col in row:
print('%s,' % col)
print('\n')
search_entry()
import sqlite3
conn = sqlite3.connect('[project directory]/db.sqlite3')
c = conn.cursor()
def search_entry():
'''Searches database based on user input, returns rows
'''
# Search parameters dictionary
search_par = {
'1': 'id',
'2': 'date',
'3': 'account',
'4': 'trans_type',
'5': 'main_cat',
'6': 'sub_cat',
'7': 'name',
'8': 'amount',
'9': 'all',
}
print('\n')
for key in search_par:
print(key, ': ', search_par[key])
print('\n')
# Select parameter number to search by
while True:
try:
par_select = str(int(input('Select parameter number to search by: ')))
if (int(par_select) < 10 and int(par_select) > 0):
break
else:
pass
except:
pass
sel_par = search_par[par_select] # Select corresponding parameter
# Select value to search
while True:
try:
id_search = input('Select value to search: ')
break
except:
pass
c.execute('SELECT * FROM form_entry WHERE (?)=(?)', (sel_par, id_search,))
rows = c.fetchall()
for row in rows:
for col in row:
print('%s,' % col)
print('\n')
search_entry()
import sqlite3
conn = sqlite3.connect('[project directory]/db.sqlite3')
c = conn.cursor()
def search_entry():
'''Searches database based on user input, returns rows
'''
# Search parameters dictionary
search_par = {
'1': 'id',
'2': 'date',
'3': 'account',
'4': 'trans_type',
'5': 'main_cat',
'6': 'sub_cat',
'7': 'name',
'8': 'amount',
'9': 'all',
}
print('\n')
for key in search_par:
print(key, ': ', search_par[key])
print('\n')
# Select parameter number to search by
while True:
try:
par_select = str(int(input('Select parameter number to search by: ')))
if (int(par_select) < 10 and int(par_select) > 0):
break
else:
pass
except:
pass
sel_par = search_par[par_select] # Select corresponding parameter
# Select value to search
while True:
try:
id_search = input('Select value to search: ')
break
except:
pass
c.execute('SELECT * FROM form_entry WHERE (?)=(?)', (sel_par, id_search,))
rows = c.fetchall()
for row in rows:
for col in row:
print('%s,' % col)
print('\n')
search_entry()
c.execute('SELECT * FROM form_entry WHERE '+colnamesarray[i]=?', colvaluesarray[i])
您也可以尝试使用以下格式
c.execute("SELECT * FROM form_entry WHERE {}" .format(Variable))
我不能代表SQLite,但一般来说,除非使用动态SQL,否则不能将表名或列名作为参数传递。在SQLite中搜索如何使用动态SQL,这可能会有所帮助。当前端编程语言可以动态创建SQL时,使用动态SQL并没有多大意义——可能是一种令人困惑的间接寻址,使用python生成运行查询的动态SQL;我只是让python生成queryAh,这就解释了。非常感谢。你知道这样做是否安全和/或希望按照你的建议去做吗?@Nicolas如果是用户输入,那肯定是不安全的。但是如果你能100%确保列名是有效的,那就不会有问题;连接列名是安全的,因为作为开发人员,您知道列名,并且不会在其中添加黑客。不允许用户指定列名。用户只提供输入值,但这是不可破解的,因为您将该值放入了参数中。只要将参数占位符串联在一起,然后将值放入参数中,就可以通过字符串concat构建sql