开发者

Add quotes to every list element

I'm very new to python. I need a simple and clear script to add quotes to every list elements. Let me explain more. Here is the my code.

parameters = ['a', 'b', 'c']
query = "SELECT * FROM foo WHERE bar IN (%s)" % (', '.开发者_JS百科join(parameters))

I want to use this to query. But result is invalid query. Here is the result.

SELECT * FROM foo WHERE bar IN (a, b, c, d)

I want to like this:

SELECT * FROM foo WHERE bar IN ('a', 'b', 'c', 'd')

How to add quotes while joining elements.


A naive solution would be to iterate over your parameters list and append quotes to the beginning and end of each element:

(', '.join('"' + item + '"' for item in parameters))

Note: this is vulnerable to SQL injection (whether coincidental or deliberate). A better solution is to let the database quote and insert these values:

query = "SELECT * FROM foo WHERE bar IN (%s)" % ','.join('?' * len(params))
cursor.execute(query, params)

It's easier to read and handles quoting properly.


For simple parameters, the following should work:

query = "SELECT * FROM foo WHERE bar IN %s" % repr(tuple(map(str,parameters)))

This may break down when the parameter names themselves include quotes, as the escaping rules are different.


As you asked it, use this:

parameters = ['a', 'b', 'c']
', '.join(map(lambda x: "'" + x + "'", parameters))

Since you're creating an SQL query, please use your database library's features regarding input sanitation (example for mysqldb). You don't want to end up with an issue like Bobby Tables.


In general (ignoring SQL)

In [3]: print(' '.join('"%s"' % x for x in ['a', 'b']))                                                                                                                                              
"a" "b"
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜