Warning: file_get_contents(/data/phpspider/zhask/data//catemap/5/sql/78.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
在Python中向查询传递多个列表参数_Python_Sql - Fatal编程技术网
Fatal编程技术网
  • python/
  • 在Python中向查询传递多个列表参数

在Python中向查询传递多个列表参数

python sql

在Python中向查询传递多个列表参数,python,sql,Python,Sql,我有三份清单: countries=['AUSTRALIA', 'FRANCE', 'ITALY'] segments=['little','medium','big','huge'] costumers = ['ERIK','FRANK','BOB', 'JANE'] 我必须这样写: cursor.execute("SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE WHERE COUNTRY IN ?, SEGMENT IN ?, VALUE IN ?, (c

我有三份清单:

countries=['AUSTRALIA', 'FRANCE', 'ITALY']
segments=['little','medium','big','huge']
costumers = ['ERIK','FRANK','BOB', 'JANE']
我必须这样写:

cursor.execute("SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE
WHERE COUNTRY IN ?, SEGMENT IN ?, VALUE IN ?, (countries, segments, costumers))

countries=['AUSTRALIA', 'FRANCE', 'ITALY']
segments=['little','medium','big','huge']
costumers = ['ERIK','FRANK','BOB', 'JANE']

query = ("SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE "
         " WHERE COUNTRY IN ('{}') "
         " AND SEGMENT IN ('{}') "
         " AND VALUE IN ('{}')").format(countries, segments, costumers)
cursor.execute(query)
有什么想法吗?这三个列表在每个列表的组件数量上可能有所不同

提前谢谢

您可以这样做:

cursor.execute("SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE
WHERE COUNTRY IN ?, SEGMENT IN ?, VALUE IN ?, (countries, segments, costumers))

countries=['AUSTRALIA', 'FRANCE', 'ITALY']
segments=['little','medium','big','huge']
costumers = ['ERIK','FRANK','BOB', 'JANE']

query = ("SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE "
         " WHERE COUNTRY IN ('{}') "
         " AND SEGMENT IN ('{}') "
         " AND VALUE IN ('{}')").format(countries, segments, costumers)
cursor.execute(query)
这可以通过以下方式解决:

cursor.执行(“选择国家、地区、客户、价值”+
“其中国家单位为%(1)s,分部单位为%(2)s,价值单位为%(3)s”,
{“1”:元组(国家),“2”:元组(分段),“3”:元组(客户)})
这确保了您仍然可以保护自己不受先前SQL注入的影响。它在字符串上也不会失败。

与使用字符串格式直接传递值的其他解决方案相比,这看起来像是更多的代码,但它更安全。仔细阅读,了解原因

将值作为参数传递(比字符串格式安全得多)的困难在于,在传入参数之前,查询必须看起来像这样(根据要传入的参数数量,
的数量不同):

所以您需要使用字符串格式来传递适当数量的?占位符:

countries=['AUSTRALIA', 'FRANCE', 'ITALY']
segments=['little','medium','big','huge']
customers = ['ERIK','FRANK','BOB', 'JANE']
country_placeholders = ','.join('?' for i in range(len(countries)))
segment_placeholders = ','.join('?' for i in range(len(segments)))
customer_placeholders = ','.join('?' for i in range(len(customers)))
query = """
SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE FROM SOME_TABLE WHERE COUNTRY IN ({}) AND SEGMENT IN ({}) AND VALUE IN ({})
""".format(country_placeholders, segment_placeholders, customer_placeholders)
这将为您提供以下查询模板:

"SELECT COUNTRY, SEGMENT, CUSTOMER, VALUE FROM SOME_TABLE WHERE COUNTRY IN (?,?,?) AND SEGMENT IN (?,?,?,?) AND VALUE IN (?,?,?,?)"
现在,您只需执行并传递参数:

params = tuple(countries + segments + customers)
cursor.execute(query, params)
这是不可伸缩的。每次国家/地区、部门或客户发生变化时,都会更新查询。这会在内部负责将列表转换为逗号分隔的值吗?是的,只要列表不是空的。很好,我没有意识到这一点。我今天的投票结束了。我明天一定会投票。