2

My table, "info", has 4 columns: bp, key, exp and job. I'm trying to create a function that searches for a term within a specified column:

Edit: Different problem, see 2nd code and 2nd error below

def search2(query, field):

    search_string = query    

    if field == "bp":
        cursor.execute("SELECT * FROM info WHERE bp="+search_string)
    elif field == "key":
        cursor.execute("SELECT * FROM info WHERE key="+search_string)
    elif field == "exp":
        cursor.execute("SELECT * FROM info WHERE exp="+search_string)
    elif field == "job":
        cursor.execute("SELECT * FROM info WHERE job="+search_string)

However, this raises an error, with "test" as search string and "bp" as column:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\user\Programs\time_database.py", line 32, in search2
    cursor.execute("SELECT * FROM info WHERE bp="+search_string)
sqlite3.OperationalError: no such column: test

And by the way, "test" wasn't intended to be a column. I want it to be a search string that matches the specified column...

EDIT

Thanks Martijn Pieters for that, but now another error has surfaced. My code now is:

def search2(query, field):

    search_string = query    

    if field == "bp":
        cursor.execute("SELECT * FROM info WHERE job=?", search_string)
    elif field == "key":
        cursor.execute("SELECT * FROM info WHERE key="+search_string)
    elif field == "exp":
        cursor.execute("SELECT * FROM info WHERE exp="+search_string)
    elif field == "job":
        cursor.execute("SELECT * FROM info WHERE job="+search_string)

And the error I get is:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\gummi\Programs\time_database.py", line 32, in search2
    cursor.execute("SELECT * FROM info WHERE job=?", search_string)
sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement         uses 1, and there are 4 supplied.
4

1 に答える 1

4

検索文字列を引用していません。データベースは代わりに列名として解釈しています。

クエリ パラメーターを使用すると、検索文字列が自動的に引用されます。

cursor.execute("SELECT * FROM info WHERE job=?", search_string)

次に、field(列) 値が信頼できないソース (Web ページなど) からのものでない場合は、それをクエリに直接補間できます。

cursor.execute("SELECT * FROM info WHERE %s=?" % field, (search_string,))

これで、すべての分岐は不要になりました。

field信頼できないソースからのものである場合、最も簡単なことは、それが許可された値であるかどうかをテストすることです。

def search2(query, field):
    if field not in set(['bp', 'key', 'exp', 'job']):
        raise ValueError('No such column ' + field)    
    cursor.execute("SELECT * FROM info WHERE %s=?" % field, (query,))
于 2012-08-21T14:23:29.433 に答える