If i want to run a GqlQuery with a variable i've set is that possible?
for example:
myNumber = 4
myResult = db.GqlQuery("SELECT * from myData WHERE filter = myNumber")
this results in:
Parse Error: Invalid WHERE condition at symbol
Am i going about this all wrong? Thanks for your time.
According to The Google Appengine Documentation, your code might look like this:
myNumber = 4
myResult = db.GqlQuery("SELECT * FROM myData WHERE filter = :num", num=myNumber)
or
myNumber = 4
myResult = db.GqlQuery("SELECT * FROM myData WHERE filter = :1", myNumber)
depending on whether you want to use a named or positional variable.
Related
I am following the Snowflake Python Connector docs for variable binding to avoid SQL injection. I successfully set up a db connection with the following dict of credentials:
import snowflake.connector
CONN = snowflake.connector.connect(
user=snowflake_creds['user'],
password=snowflake_creds['password'],
account=snowflake_creds['account'],
warehouse=snowflake_creds["warehouse"],
database=snowflake_creds['database'],
schema=snowflake_creds['schema'],
)
cur = CONN.cursor(snowflake.connector.DictCursor)
The following block works fine and I get back query results, hard-coding the table name and using the standard format binding:
command = ("SELECT * FROM TEST_INPUT_TABLE WHERE batch_id = %s")
bind_params = (2)
results = cur.execute(command % bind_params).fetchall()
Similarly, this block works fine, using the pyformat binding:
command = ("SELECT * FROM TEST_INPUT_TABLE WHERE batch_id = %(id)s")
bind_params = {"id": 2}
results = cur.execute(command, bind_params).fetchall()
But the following two blocks both result in a ProgrammingError (pasted below the second block):
command = ("SELECT * FROM %s WHERE batch_id = %s")
bind_params = ("TEST_INPUT_TABLE", 2)
results = cur.execute(command, bind_params).fetchall()
command = ("SELECT * FROM %(tablename)s WHERE batch_id = %(id)s")
bind_params = {
"tablename": "TEST_INPUT_TABLE",
"id": 2
}
results = cur.execute(command, bind_params).fetchall()
ProgrammingError: 001011 (42601): SQL compilation error:
invalid URL prefix found in: 'TEST_INPUT_TABLE'
Is there some difference between how strings and ints get interpolated? I would
not think it would make a difference but that is all I can think of. Am I
missing something simple here? I don't want to have to choose between hard-coding the table name and putting the system at risk of SQL injection. Thanks for any guidance.
You should be wrapping your bind variables with an INDENTIFER() function when they reference an object, rather than a string literal. For example:
command = ("SELECT * FROM IDENTIFIER(%(tablename)s) WHERE batch_id = %(id)s")
https://docs.snowflake.com/en/sql-reference/identifier-literal.html
Give that a try.
My model:
class User(ndb.Model):
name = ndb.StringProperty()
Is there any difference in terms of efficiency/cost/speed between the following two queries?
u = User.query(User.name==name).get()
u = User.query().filter(User.name==name).get()
Should I use one of them over the other? I assume the 2nd one is worse because it firsts get the entire User class queryset and then applies the filter?
There is no difference in functionality between the two so you can choose whatever you like best. On the google documentation, they show these two examples:
query = Account.query(Account.userid >= 40, Account.userid < 50)
and
query1 = Account.query() # Retrieve all Account entitites
query2 = query1.filter(Account.userid >= 40) # Filter on userid >= 40
query3 = query2.filter(Account.userid < 50) # Filter on userid < 50 too
and state:
query3 is equivalent to the query variable from the previous example.
Query = 'com pu'
Query = Query.split()
busi = ""
for data in Query:
busi += Business.objects.filter(Keywords__icontains=data)
When I use '+' symbol after busi variable for add all data according to filter that give error
Exception Type: TypeError
Exception Value:Can't convert 'QuerySet' object to str implicitly
How can I achieve that different Query part which split by that all give different-2 data and and both data in single busi object
from django.db.models import Q
Query = Query.split()
query = Q()
for data in Query:
query |= Q(keyword_name__icontains=data)
Business= Business.objects.filter(query)
Instead use &:
busi = None
q = Business.objects.filter(Keywords__icontains=data)
if busi is None:
busi = q
else:
busi = busi & q
I'm trying to develop a blog using webpy.
def getThread(self,num):
myvar = dict(numero=num)
print myvar
que = self.datab.select('contenidos',vars=myvar,what='contentTitle,content,update',where="category LIKE %%s%" %numero)
return que
I've used some of the tips you answer in this web but I only get a
<type 'exceptions.NameError'> at /
global name 'numero' is not defined
Python C:\xampp\htdocs\webpy\functions.py in getThread, line 42
Web GET http://:8080/
...
I'm trying to make a selection of some categorized posts. There is a table with category name and id. There is a column in the content table which takes a string which will be formatted '1,2,3,5'.
Then the way I think I can select the correct entries with the LIKE statement and some %something% magic. But I have this problem.
I call the code from the .py file which builds the web, the import statement works properly
getThread is defined inside this class:
class categoria(object):
def __init__(self,datab,nombre):
self.nombre = nombre
self.datab = datab
self.n = str(self.getCat()) #making the integer to be a string
self.thread = self.getThread(self.n)
return self.thread
def getCat(self):
'''
returns the id of the categorie (integer)
'''
return self.datab.select('categorias',what='catId', where='catName = %r' %(self.nombre), limit=1)
Please check the correct syntax for db.select (http://webpy.org/cookbook/select), you should not format query with "%" because it makes code vulnerable to sql injections. Instead, put vars in dict and refer to them with $ in your query.
myvars = dict(category=1)
db.select('contenidos', what='contentTitle,content,`update`', where="category LIKE '%'+$category+'%'", vars=myvars)
Will produce this query:
SELECT contentTitle,content,`update` FROM contenidos WHERE category LIKE '%'+1+'%'
Note that I backquoted update because it is reserved word in SQL.
I have the following models:
class Author(db.Model):
name = db.StringProperty()
class Story(db.Model):
author = db.ReferenceProperty(Author)
What's the raw GQL to find all Stories by a certain author. In regular SQL, I will use joins but I don't think that's available in GQL.
Edit:
I'm looking for the raw GQL way, I know how to do it the Pythonic way. For instance something like(the following is probably totally wrong):
"SELECT * FROM Story WHERE author = :1", "Shakespeare"
I want to run the above from the GAE admin Data > Data Viewer > Query the Datastore. I want the raw SQL that someone could run from a typical mysql or psql shell.
Edit2: Ah, the raw-GQL for use in the data-viewer...
Here's one way:
1) Run this and get the ID number:
SELECT * FROM Author where name = 'shakespeare'
2) Using ID number from previous query, run this:
SELECT * FROM Story where author = key('Author', 12345)
Edit: at long last, the raw GQL:
(Easiest way: Use the implicit backreference property name; in the form "modelname_set".)
qry = GqlQuery("SELECT * FROM Author WHERE name = :1", "shakespeare")
shakespeare = qry.get()
shakespeare.story_set # this property now contains all Shakespeare's stories
or
qry0 = GqlQuery("SELECT * FROM Author WHERE name = :1", "shakespeare")
shakespeare = qry0.get()
qry1 = GqlQuery("SELECT * FROM Story WHERE author = :1", shakespeare.key())
shakespeare_stories = qry1.fetch(10) # probably good to have some limit here
I prefer this way:
qry = Author.all()
qry.filter('name = ', 'shakespeare')
shakespeare = qry.get()
shakespeare.story_set # this property now contains all Shakespeare's stories
The more involved way may sometimes be necessary:
qry0 = Author.all()
qry0.filter('name = ', 'shakespeare')
shakespeare = qry0.get()
qry1 = Story.all()
qry1.filter('author = ', shakespeare.key())
shakespeare_stories = qry1.fetch(10) # probably good to have some limit here