在Python中的查询中间追加字符串
我试图在Python中构建一个查询,我正在寻找一种优雅的方法来在字符串中间添加一个WHERE条件:在Python中的查询中间追加字符串,python,string,format,Python,String,Format,我试图在Python中构建一个查询,我正在寻找一种优雅的方法来在字符串中间添加一个WHERE条件: def get_raw_queryset(frequency=None, where_condition=None): qs = "SELECT id, COUNT(*) AS count FROM user_transaction_log " \ # I WANT TO APPEND A WHERE ONLY IF not None if where_
def get_raw_queryset(frequency=None, where_condition=None):
qs = "SELECT id, COUNT(*) AS count FROM user_transaction_log " \
# I WANT TO APPEND A WHERE ONLY IF not None
if where_condition:
"WHERE .... = 1" \
"GROUP BY type , strftime('{0}', datetime) ORDER BY id" \
.format(frequency)
return qs
"SELECT ..." + bool(where_condition) * ("WHERE ...") + "GROUP ..."
只要您能够安全地评估WHERE字符串,即使
WHERE\u条件def get_raw_queryset(frequency=None, where_condition=None):
qs = "SELECT id, COUNT(*) AS count FROM user_transaction_log " \
# I WANT TO APPEND A WHERE ONLY IF not None
if where_condition:
"WHERE .... = 1" \
"GROUP BY type , strftime('{0}', datetime) ORDER BY id" \
.format(frequency)
return qs
"SELECT ..." + bool(where_condition) * ("WHERE ...") + "GROUP ..."
我希望您非常小心地避免SQL注入。只要您能够安全地评估WHERE字符串,即使WHERE\u条件不是一个字符串,这将起作用:
def get_raw_queryset(frequency=None, where_condition=None):
qs = "SELECT id, COUNT(*) AS count FROM user_transaction_log " \
# I WANT TO APPEND A WHERE ONLY IF not None
if where_condition:
"WHERE .... = 1" \
"GROUP BY type , strftime('{0}', datetime) ORDER BY id" \
.format(frequency)
return qs
"SELECT ..." + bool(where_condition) * ("WHERE ...") + "GROUP ..."
我希望您非常小心地避免SQL注入。我使用的是django,这是我后端的一个函数。我应该担心吗?@GustavoReyes这取决于用户输入是否用于构造该条件。然后我们就没事了:)我正在使用django,这是我后端的一个函数。我应该担心吗?@GustavoReyes这取决于用户输入是否用于构造该条件。那么我们就没事了:)