Python SQLite parameter substitution with wildcards in LIKE
Question:
I am attempting to use a parametrized LIKE query with Python’s Sqlite library as below:
self.cursor.execute("select string from stringtable where string like '%?%' and type = ?", (searchstr,type))
but the ? inside of the wildcard is not being evaluated leaving me with this error:
"sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 1, and there are 2 supplied."
I also tried to use the tagged version of querying with:
like '%:searchstr%' and in the list having {"searchstr":searchstr...
but when I do that the query runs but never returns any results even though manually putting in "like '%a%'"... return hundreds of results as it should
any suggestions please?
Answers:
The quotes protect either ? or :name from being taken as a place-holder — they’re taken literally. You need to place the percent signs around the string you’re passing, and use the plain placeholder without quotes. I.e.:
self.cursor.execute(
"select string from stringtable where string like ? and type = ?",
('%'+searchstr+'%', type))
Note that neither ? is in quotes — and that’s exactly as it should be for them to be taken as placeholders.
Though is not an exact answer to question, and not to compete to be one, this solution however still tries to answer "parameter substitution in LIKE" as the title draws attention with this in mind too (like it did to me)
I was working in a similar manner and I combined two styles together. this way, user can enter the field name into function along with "%" being in the search parameter itself.
though field name needs sanitation, it is enough to use in small test projects. also moving "%" wildcard from query to a parameter allows user to use other wildcards.
database.py
def find_item(field,term):
cursor.execute("""
SELECT rowid,* FROM customers
WHERE (%s) LIKE ?
"""%field,(term,))
app.py
import database
database.find_item("first_name","%li%")
database.find_item("email","_li%")
I am attempting to use a parametrized LIKE query with Python’s Sqlite library as below:
self.cursor.execute("select string from stringtable where string like '%?%' and type = ?", (searchstr,type))
but the ? inside of the wildcard is not being evaluated leaving me with this error:
"sqlite3.ProgrammingError: Incorrect number of bindings supplied. The current statement uses 1, and there are 2 supplied."
I also tried to use the tagged version of querying with:
like '%:searchstr%' and in the list having {"searchstr":searchstr...
but when I do that the query runs but never returns any results even though manually putting in "like '%a%'"... return hundreds of results as it should
any suggestions please?
The quotes protect either ? or :name from being taken as a place-holder — they’re taken literally. You need to place the percent signs around the string you’re passing, and use the plain placeholder without quotes. I.e.:
self.cursor.execute(
"select string from stringtable where string like ? and type = ?",
('%'+searchstr+'%', type))
Note that neither ? is in quotes — and that’s exactly as it should be for them to be taken as placeholders.
Though is not an exact answer to question, and not to compete to be one, this solution however still tries to answer "parameter substitution in LIKE" as the title draws attention with this in mind too (like it did to me)
I was working in a similar manner and I combined two styles together. this way, user can enter the field name into function along with "%" being in the search parameter itself.
though field name needs sanitation, it is enough to use in small test projects. also moving "%" wildcard from query to a parameter allows user to use other wildcards.
database.py
def find_item(field,term):
cursor.execute("""
SELECT rowid,* FROM customers
WHERE (%s) LIKE ?
"""%field,(term,))
app.py
import database
database.find_item("first_name","%li%")
database.find_item("email","_li%")