logo标签列表

通过Python/psycopg2向Postgresql数据库插入数据出现问题

pythonpostgresqlinsert
3

使用下面的方法,我构建了一个插入命令,将一个项(存储为字典)插入到我的postgresql数据库中。但是,当我将该命令传递给cur.execute时,我会得到一个语法错误。我真的不知道为什么会出现这个错误。

>>> print insert_string
"""INSERT INTO db_test (album, dj, datetime_scraped, artist, playdatetime, label, showblock, playid, showtitle, time, station, source_url, showgenre, songtitle, source_title) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s);""", (item['album'], item['dj'], item['datetime_scraped'], item['artist'], item['playdatetime'], item['label'], item['showblock'], item['playid'], item['showtitle'], item['time'], item['station'], item['source_url'], item['showgenre'], item['songtitle'], item['source_title'])

>>> cur.execute(insert_string)

psycopg2.ProgrammingError: syntax error at or near """"INSERT INTO db_test (album, dj, datetime_scraped, artist, playdatetime, label, showblock, playid, showtitle, time, station, source_url, showgenre, songtitle, source_title) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s);""""
    LINE 1: """INSERT INTO db_test (album, dj, datetime_scraped, artis...

这是一个更加“眼睛友好”的插入命令示例:
"""INSERT INTO db_test (album, dj, datetime_scraped, artist, playdatetime, label, showblock, playid, showtitle, time, station, source_url, showgenre, songtitle, source_title) 
    VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s);""",
    (item['album'], item['dj'], item['datetime_scraped'], item['artist'], item['playdatetime'], item['label'], item['showblock'], item['playid'], item['showtitle'], item['time'], item['station'], item['source_url'], item['showgenre'], item['songtitle'], item['source_title'])

构建插入的方法:
def build_insert(self, table_name, item):
    if len(item) == 0:
      log.msg("Build_insert failed.  Delivered item was empty.", level=log.ERROR)
      return ''

    #itemKeys = item.keys()
    itemValues = []
    for key in item.keys(): # Iterate through each key, surrounded by item[' '], seperated by comma
      itemValues.append('item[\'{theKey}\']'.format(theKey=key))

    sqlCommand = "\"\"\"INSERT INTO {table} ({keys}) VALUES ({value_symbols});\"\"\", ({values})".format(
      table = table_name, #table to insert into, provided as method's argument
      keys = ", ".join(item.keys()), #iterate through keys, seperated by comma
      value_symbols = ", ".join("%s" for key in itemValues), #create a %s for each key
      values = ", ".join(itemValues))

    return sqlCommand

编辑:

我使用了Gringo Suaves的建议,除了对build_insert方法进行了小修改(根据键的数量创建尽可能多的%s符号)。

def build_insert(self, table_name, item):
  if len(item) == 0:
    log.msg("Build_insert failed.  Delivered item was empty.", level=log.ERROR)
    return ''

  keys = item.keys()
  values = [ item[k] for k in keys] # make a list of each key

  sqlCommand = 'INSERT INTO {table} ({keys}) VALUES ({value_symbols});'.format(
    table = table_name, #table to insert into, provided as method's argument
    keys = ", ".join(keys), #iterate through keys, seperated by comma
    value_symbols = ", ".join("%s" for value in values) #create a %s for each key
    )
  return (sqlCommand, values)
2个回答
2

你的字符串不是有效的SQL语句,其中包含了许多Python的无用信息。

我认为我已经修复了这个方法:

def build_insert(self, table_name, item):
    if len(item) == 0:
      log.msg('Build_insert failed.  Delivered item was empty.', level=log.ERROR)
      return ''

    keys = item.keys()
    values = [ item[k] for k in keys ]

    sqlCommand = 'INSERT INTO {table} ({keys}) VALUES ({placeholders});'.format(
      table = table_name,
      keys = ', '.join(keys),
      placeholders = ', '.join([ "'%s'" for v in values ])  # extra quotes may not be necessary
    )

    return (sqlCommand, values)

使用一些虚拟数据,它返回了以下元组。我为了清晰起见添加了几个换行符:

( "INSERT INTO thetable (album, dj, datetime_scraped, artist,
    playdatetime, label, showblock, playid, songtitle, time, station,
    source_url, showgenre, showtitle, source_title) VALUES ('%s', '%s',
    '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s',
    '%s', '%s');",
    ['album_val', 'dj_val', 'datetime_scraped_val', 'artist_val',
    'playdatetime_val', 'label_val', 'showblock_val', 'playid_val',
    'songtitle_val', 'time_val', 'station_val', 'source_url_val',
    'showgenre_val', 'showtitle_val', 'source_title_val'] 
)

最后,将其传递到cur.execute()中:

instr, data = build_insert(self, 'thetable', item)
cur.execute(instr, data)
这个很好用,除了你在代码中只使用了一个(%s)(因为有多个值被插入)。我已经将我的最终代码添加到顶部。谢谢! - alukach
好的,之前我有多个,但是我对你的链接理解得太过字面了。 - Gringo Suave
-2

你缺少'%'(在传递查询参数之前)。

基本上,你必须确保'%s'被实际值替换。

例如: msg = 'world' Test = 'hello %s' % msg

'%'将使用变量msg中存储的任何内容替换占位符。

你可以看到错误消息中psycopg获取带有实际'%s'的查询字符串,这就是为什么它无法运行的原因。

3
我认为这不是正确的方法。根据我了解的SQL语句,使用字符串参数插值(%)是一个大忌,会导致SQL注入漏洞(详细解释)。我参考了他们的演示文稿(此部分)来格式化我的命令。 - alukach
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接