填充 PostgreSQL 数据库时出现 Python 错误
Populating a PostgreSQL database with Python error
我正在尝试填充数据库,但出现语法错误。
我有多个包含数据的列表,还有几个列表包含这些列表。
injury_act_1 = ('2017-01-16 15:36:38','Injury','Unsafe Act', 'TRUE', 'FALSE', 'While lifting a 50 lb item from the floor onto their wokrstation, the employee felt a sharp pain in their lower back.','The employee ran out of room on their workstation because the takeaway conveyor was inoperable')
重复 10 次。对于那些伤害、审计和这些审计的行动项目,有更多的行动项目列表。
我有一个函数可以将这些插入到我的数据库中。
def populate():
params = config()
# connect to the PostgreSQL server
conn = psycopg2.connect("dbname = safety")
cur = conn.cursor()
for i in range(len(injuries)):
incident = (
"""
INSERT INTO incident (
date_time,
incident_type,
incident_cat,
injury,
property_damage,
description,
root_cause
)
VALUES (
"""+ injuries[i][0] +""",
"""+ injuries[i][1] +""",
"""+ injuries[i][2] +""",
"""+ injuries[i][3] +""",
"""+ injuries[i][4] +""",
"""+ injuries[i][5] +""",
"""+ injuries[i][6] +"""
""")
cur.execute(incident)
print("Injury case added!")
action_items = (
"""
INSERT INTO action_items (
case_id,
finding,
corrective_action
)
VALUES (
"""+ (i+1) +""",
"""+ injuries[i][4] +". "+ injuries[i][5] +""",
"""+ actions[i] +""",
)
"""
)
cur.execute(action_items)
print("Action item added!")
for j in range(len(audits)):
audit = (
"""
INSERT INTO audit (
date_time,
type,
que_1,
que_2,
que_3,
ans_1,
ans_2,
ans_3,
)
VALUES (
"""+ str(audits[i][0]) +""",
"""+ audits[i][1] +""",
"""+ audits[i][2] +""",
"""+ audits[i][3] +""",
"""+ audits[i][4] +""",
"""+ audits[i][5] +""",
"""+ audits[i][6] +""",
"""+ audits[i][7] +"""
"""
)
cur.execute(audit)
print("Audit added!")
action_items_a = (
"""
INSERT INTO action_items (
audit_id,
finding,
corrective_action
)
VALUES (
"""+ (i+1) +""",
'Audit deficiency',
"""+ actions_a[i] +""",
)
"""
)
cur.execute(action_items_a)
print("Action item added!")
cur.close()
conn.commit()
populate()
我不断收到此错误:
Traceback (most recent call last):
File "database_populator.py", line 204, in <module>
populate()
File "database_populator.py", line 137, in populate
cur.execute(incident)
psycopg2.ProgrammingError: syntax error at or near "15"
Line 12: 2017-01-16 15:36:38,
^
如果您仍想自己构造查询字符串(这是个坏主意),请将日期用引号引起来:
"""
....
VALUES (
'"""+ injuries[i][0] +"""',
'"""+ injuries[i][1] +"""',
'"""+ injuries[i][2] +"""',
'"""+ injuries[i][3] +"""',
'"""+ injuries[i][4] +"""',
'"""+ injuries[i][5] +"""',
'"""+ injuries[i][6] +"""'
""")
更好的是,使用列表理解构造查询:
"""
....
VALUES(""" + ",".join("'{}'".format(injury) for injury in injuries[i]) + ")"
退后一步,看看您是如何形成查询的。尽量避免使用字符串连接来构建查询,尤其是对于任何类型的用户提供的输入。它不仅容易出错(如您所见),而且 a security nightmare.
您的代码应该使用 psycopg2's bind parameter support,看起来更像是:
incident = (
"""
INSERT INTO incident (
date_time,
incident_type,
incident_cat,
injury,
property_damage,
description,
root_cause
)
VALUES (""" + (["%s"] * 7).join(", ") + ")"
cur.execute(incident, injuries)
这样它就可以让 psycopg2 负责转义和格式化。
你可以写出七个文字 %ss,如果你愿意的话,比如 %s, %s, %s, ...。我只是更喜欢上面的形式。
这样,如果有人欺骗您的应用程序接受 injuries 中的字符串,例如 ');DROP TABLE incident;--,您就不会遇到这样的麻烦。
我正在尝试填充数据库,但出现语法错误。
我有多个包含数据的列表,还有几个列表包含这些列表。
injury_act_1 = ('2017-01-16 15:36:38','Injury','Unsafe Act', 'TRUE', 'FALSE', 'While lifting a 50 lb item from the floor onto their wokrstation, the employee felt a sharp pain in their lower back.','The employee ran out of room on their workstation because the takeaway conveyor was inoperable')
重复 10 次。对于那些伤害、审计和这些审计的行动项目,有更多的行动项目列表。
我有一个函数可以将这些插入到我的数据库中。
def populate():
params = config()
# connect to the PostgreSQL server
conn = psycopg2.connect("dbname = safety")
cur = conn.cursor()
for i in range(len(injuries)):
incident = (
"""
INSERT INTO incident (
date_time,
incident_type,
incident_cat,
injury,
property_damage,
description,
root_cause
)
VALUES (
"""+ injuries[i][0] +""",
"""+ injuries[i][1] +""",
"""+ injuries[i][2] +""",
"""+ injuries[i][3] +""",
"""+ injuries[i][4] +""",
"""+ injuries[i][5] +""",
"""+ injuries[i][6] +"""
""")
cur.execute(incident)
print("Injury case added!")
action_items = (
"""
INSERT INTO action_items (
case_id,
finding,
corrective_action
)
VALUES (
"""+ (i+1) +""",
"""+ injuries[i][4] +". "+ injuries[i][5] +""",
"""+ actions[i] +""",
)
"""
)
cur.execute(action_items)
print("Action item added!")
for j in range(len(audits)):
audit = (
"""
INSERT INTO audit (
date_time,
type,
que_1,
que_2,
que_3,
ans_1,
ans_2,
ans_3,
)
VALUES (
"""+ str(audits[i][0]) +""",
"""+ audits[i][1] +""",
"""+ audits[i][2] +""",
"""+ audits[i][3] +""",
"""+ audits[i][4] +""",
"""+ audits[i][5] +""",
"""+ audits[i][6] +""",
"""+ audits[i][7] +"""
"""
)
cur.execute(audit)
print("Audit added!")
action_items_a = (
"""
INSERT INTO action_items (
audit_id,
finding,
corrective_action
)
VALUES (
"""+ (i+1) +""",
'Audit deficiency',
"""+ actions_a[i] +""",
)
"""
)
cur.execute(action_items_a)
print("Action item added!")
cur.close()
conn.commit()
populate()
我不断收到此错误:
Traceback (most recent call last):
File "database_populator.py", line 204, in <module>
populate()
File "database_populator.py", line 137, in populate
cur.execute(incident)
psycopg2.ProgrammingError: syntax error at or near "15"
Line 12: 2017-01-16 15:36:38,
^
如果您仍想自己构造查询字符串(这是个坏主意),请将日期用引号引起来:
"""
....
VALUES (
'"""+ injuries[i][0] +"""',
'"""+ injuries[i][1] +"""',
'"""+ injuries[i][2] +"""',
'"""+ injuries[i][3] +"""',
'"""+ injuries[i][4] +"""',
'"""+ injuries[i][5] +"""',
'"""+ injuries[i][6] +"""'
""")
更好的是,使用列表理解构造查询:
"""
....
VALUES(""" + ",".join("'{}'".format(injury) for injury in injuries[i]) + ")"
退后一步,看看您是如何形成查询的。尽量避免使用字符串连接来构建查询,尤其是对于任何类型的用户提供的输入。它不仅容易出错(如您所见),而且 a security nightmare.
您的代码应该使用 psycopg2's bind parameter support,看起来更像是:
incident = (
"""
INSERT INTO incident (
date_time,
incident_type,
incident_cat,
injury,
property_damage,
description,
root_cause
)
VALUES (""" + (["%s"] * 7).join(", ") + ")"
cur.execute(incident, injuries)
这样它就可以让 psycopg2 负责转义和格式化。
你可以写出七个文字 %ss,如果你愿意的话,比如 %s, %s, %s, ...。我只是更喜欢上面的形式。
这样,如果有人欺骗您的应用程序接受 injuries 中的字符串,例如 ');DROP TABLE incident;--,您就不会遇到这样的麻烦。