有什么方法可以通过运营商＆lt;，lt;＆gt;，gt; =进入sql-Query？

发布于 2025-02-08 19:55:07 字数 2424 浏览 1 评论 0原文

我有这样的程序：

if self.current_condition == 'comparison':
comparison_command = '''SELECT * FROM {table} WHERE {pkey} < %s'''
cur.execute(sql.SQL(comparison_command).format(
                    table=sql.Identifier(self.current_table),
                    pkey=sql.Identifier(self.current_columns[0].text())
                ), 
                (self.comp_value, )
           )

我想做的就是写'＆lt;'在命令中以与{表}和{pkey}相同的方式，这意味着我想从变量传递运算符进入命令。我可以做吗？

应用程序的脸看起来像这样更多代码上下文。这是一个应用程序，该应用程序应该从SQL-Request从数据库中获取数据库，该数据由接口创建。如您所见，操作员比一个要选择的要多。

    def run_func(self):
    conn = None
    try:
        conn = psycopg2.connect(
            host='localhost',
            database='1rl',
            user='postgres',
            password=passwor)
        cur = conn.cursor()

        if self.current_condition == 'comparison':
            comparison_command = '''SELECT * FROM {table} WHERE {pkey} < %s'''
            cur.execute(sql.SQL(comparison_command).format(table=sql.Identifier(self.current_table),
                                                           pkey=sql.Identifier(self.current_columns[0].text())),
                                                            (self.comp_value, ))
            print(cur.fetchall())

    except (Exception, psycopg2.DatabaseError) as error:
        print(error)
    finally:
        if conn is not None:
            conn.close()


def display(self, i):
    self.list_of_conditions.setCurrentIndex(i)
    self.current_condition = self.all_conditions[i]
    print(self.current_condition)



def comp_value_changed(self):
    self.comp_value = self.value.text()

def comp_on_selected(self):
    sender = self.sender()
    self.comp_selec = sender.text()

def comparison_fun(self):
    layout = QFormLayout()
    compars = QHBoxLayout()

    for i in self.all_comparisons:
        temp = QRadioButton(i)
        temp.toggled.connect(self.comp_on_selected)
        compars.addWidget(temp)

    layout.addRow(QLabel('Operators'), compars)

    self.value = QLineEdit()
    self.value.textChanged.connect(self.comp_value_changed)
    layout.addRow("Value", self.value)

    rune = QPushButton('Run')
    rune.clicked.connect(self.run_func)
    layout.addRow(rune)
    self.comparison.setLayout(layout)

原文

I have such piece of program:

if self.current_condition == 'comparison':
comparison_command = '''SELECT * FROM {table} WHERE {pkey} < %s'''
cur.execute(sql.SQL(comparison_command).format(
                    table=sql.Identifier(self.current_table),
                    pkey=sql.Identifier(self.current_columns[0].text())
                ), 
                (self.comp_value, )
           )

What I want to do is write '<' in command in the same way as {table} and {pkey}, that means I want to pass operators into command from variable. Can I do it?

The face of the app looks like this
A little bit more of code context. It's an app, that should get data from database by sql-request, that creates from interface. As you can see, there's a bit more operators than one to choose.

    def run_func(self):
    conn = None
    try:
        conn = psycopg2.connect(
            host='localhost',
            database='1rl',
            user='postgres',
            password=passwor)
        cur = conn.cursor()

        if self.current_condition == 'comparison':
            comparison_command = '''SELECT * FROM {table} WHERE {pkey} < %s'''
            cur.execute(sql.SQL(comparison_command).format(table=sql.Identifier(self.current_table),
                                                           pkey=sql.Identifier(self.current_columns[0].text())),
                                                            (self.comp_value, ))
            print(cur.fetchall())

    except (Exception, psycopg2.DatabaseError) as error:
        print(error)
    finally:
        if conn is not None:
            conn.close()


def display(self, i):
    self.list_of_conditions.setCurrentIndex(i)
    self.current_condition = self.all_conditions[i]
    print(self.current_condition)



def comp_value_changed(self):
    self.comp_value = self.value.text()

def comp_on_selected(self):
    sender = self.sender()
    self.comp_selec = sender.text()

def comparison_fun(self):
    layout = QFormLayout()
    compars = QHBoxLayout()

    for i in self.all_comparisons:
        temp = QRadioButton(i)
        temp.toggled.connect(self.comp_on_selected)
        compars.addWidget(temp)

    layout.addRow(QLabel('Operators'), compars)

    self.value = QLineEdit()
    self.value.textChanged.connect(self.comp_value_changed)
    layout.addRow("Value", self.value)

    rune = QPushButton('Run')
    rune.clicked.connect(self.run_func)
    layout.addRow(rune)
    self.comparison.setLayout(layout)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

倒数 2025-02-15 19:55:07

您可以在comparison_command上使用字符串插值，使用f-string符号，然后将现有的括号加倍以逃脱它们：

comparison_command = f'SELECT * FROM {{table}} WHERE {{pkey}} {self.comp_selec} %s'
cur.execute(sql.SQL(comparison_command).format(
                    table=sql.Identifier(self.current_table),
                    pkey=sql.Identifier(self.current_columns[0].text())
                ), 
                (self.comp_value, )
           )

这假设self.comp_selec在SQL Syntax中具有操作员，即它应该像“＆lt;”，“”＆lt; =“，” =“，”，“”＆gt; =“，”，“＆gt;”，而不是“ = =”，“ GE”，“更大”，... ETC。

我需要添加有关SQL注入风险的免责声明。据我了解，所有这些都在本地计算机上运行，智能用户可能会篡改可执行文件，并使SQL对数据库或其安全性有害。

You can use string interpolation on comparison_command, use f-string notation, and double the existing braces to escape them:

comparison_command = f'SELECT * FROM {{table}} WHERE {{pkey}} {self.comp_selec} %s'
cur.execute(sql.SQL(comparison_command).format(
                    table=sql.Identifier(self.current_table),
                    pkey=sql.Identifier(self.current_columns[0].text())
                ), 
                (self.comp_value, )
           )

This assumes that self.comp_selec has the operator in the SQL syntax, i.e. it should be like "<", "<=", "=", ">=", ">", and not "==", "ge", "greater", ...etc.

I need to add the disclaimer about the risk of SQL injection. As I understand all of this runs on a local machine, a smart user could potentially tamper with the executable and make the SQL execute something harmful for the database or its security.

回复收藏 0 原文

子栖 2025-02-15 19:55:07

使用 sql 。传递操作员：

comparison_command = sql.SQL("SELECT * FROM {table} WHERE {pkey} {op} %s").\
    format(table=sql.Identifier("test"), pkey=sql.Identifier("id"), op=sql.SQL(">"))

print(comparison_command.as_string(con))                                                                                                                                                                                
SELECT * FROM "test" WHERE "id" > %s

for op in [">", "<", "="]:
    comparison_command = sql.SQL("SELECT * FROM {table} WHERE {pkey} {op} %s").\
    format(table=sql.Identifier("test"), pkey=sql.Identifier("id"), op=sql.SQL(op))
    print(comparison_command.as_string(con))

SELECT * FROM "test" WHERE "id" > %s
SELECT * FROM "test" WHERE "id" < %s
SELECT * FROM "test" WHERE "id" = %s

Use sql.SQL to pass in the operator:

comparison_command = sql.SQL("SELECT * FROM {table} WHERE {pkey} {op} %s").\
    format(table=sql.Identifier("test"), pkey=sql.Identifier("id"), op=sql.SQL(">"))

print(comparison_command.as_string(con))                                                                                                                                                                                
SELECT * FROM "test" WHERE "id" > %s

for op in [">", "<", "="]:
    comparison_command = sql.SQL("SELECT * FROM {table} WHERE {pkey} {op} %s").\
    format(table=sql.Identifier("test"), pkey=sql.Identifier("id"), op=sql.SQL(op))
    print(comparison_command.as_string(con))

SELECT * FROM "test" WHERE "id" > %s
SELECT * FROM "test" WHERE "id" < %s
SELECT * FROM "test" WHERE "id" = %s

回复收藏 0 原文

~没有更多了~