Add quotes to every list element
Question:
I’m very new to python. I need a simple and clear script to add quotes to every list elements. Let me explain more. Here is the my code.
parameters = ['a', 'b', 'c']
query = "SELECT * FROM foo WHERE bar IN (%s)" % (', '.join(parameters))
I want to use this to query. But result is invalid query. Here is the result.
SELECT * FROM foo WHERE bar IN (a, b, c, d)
I want to like this:
SELECT * FROM foo WHERE bar IN ('a', 'b', 'c', 'd')
How to add quotes while joining elements.
Answers:
As you asked it, use this:
parameters = ['a', 'b', 'c']
', '.join(map(lambda x: "'" + x + "'", parameters))
Since you’re creating an SQL query, please use your database library’s features regarding input sanitation (example for mysqldb). You don’t want to end up with an issue like Bobby Tables.
A naive solution would be to iterate over your parameters
list and append quotes to the beginning and end of each element:
(', '.join('"' + item + '"' for item in parameters))
Note: this is vulnerable to SQL injection (whether coincidental or deliberate). A better solution is to let the database quote and insert these values:
query = "SELECT * FROM foo WHERE bar IN (%s)" % ','.join('?' * len(params))
cursor.execute(query, params)
It’s easier to read and handles quoting properly.
For simple parameters, the following should work:
query = "SELECT * FROM foo WHERE bar IN %s" % repr(tuple(map(str,parameters)))
This may break down when the parameter names themselves include quotes, as the escaping rules are different.
In general (ignoring SQL)
In [3]: print(' '.join('"%s"' % x for x in ['a', 'b']))
"a" "b"
I’m very new to python. I need a simple and clear script to add quotes to every list elements. Let me explain more. Here is the my code.
parameters = ['a', 'b', 'c']
query = "SELECT * FROM foo WHERE bar IN (%s)" % (', '.join(parameters))
I want to use this to query. But result is invalid query. Here is the result.
SELECT * FROM foo WHERE bar IN (a, b, c, d)
I want to like this:
SELECT * FROM foo WHERE bar IN ('a', 'b', 'c', 'd')
How to add quotes while joining elements.
As you asked it, use this:
parameters = ['a', 'b', 'c']
', '.join(map(lambda x: "'" + x + "'", parameters))
Since you’re creating an SQL query, please use your database library’s features regarding input sanitation (example for mysqldb). You don’t want to end up with an issue like Bobby Tables.
A naive solution would be to iterate over your parameters
list and append quotes to the beginning and end of each element:
(', '.join('"' + item + '"' for item in parameters))
Note: this is vulnerable to SQL injection (whether coincidental or deliberate). A better solution is to let the database quote and insert these values:
query = "SELECT * FROM foo WHERE bar IN (%s)" % ','.join('?' * len(params))
cursor.execute(query, params)
It’s easier to read and handles quoting properly.
For simple parameters, the following should work:
query = "SELECT * FROM foo WHERE bar IN %s" % repr(tuple(map(str,parameters)))
This may break down when the parameter names themselves include quotes, as the escaping rules are different.
In general (ignoring SQL)
In [3]: print(' '.join('"%s"' % x for x in ['a', 'b']))
"a" "b"