I got some issues passing my SQL query made in Python to MS SQL.
Were talking about retrieving some code via pyodbc, editing it with regex, and passing it back into a new table of the Database.
I also tried some print()-Commands to assure the Code is running in Python and being edited the right way, but I am not able to write those contents back to SQL after editing the strings.
Im trying to pass the string via:
try:
values = ""
for row in cursor.execute("select row1, row2 from db_table"):
cleanheader = cleanhtml(str(row.row1))
cleanbody = cleanhtml(str(row.row2))
values = values + "('" + cleanheader + "','" + cleanbody + "'),"
values[0:len(values)-1]
values = values + ";"
sql = "INSERT INTO db_new_table VALUES ('"+str(values)+"')"
cursor.execute(sql)
whereas cleanhtml() refers to my regex-function:
def cleanhtml(raw_html):
cleanr = re.compile('<.*?>|&([a-z0-9]+|#[0-9]{1,6}|#x[0-9a-f]{1,6});')
cleantext = re.sub(cleanr, '', raw_html)
return cleantext
Does anyone have an idea on how to pass those lines correctly to SQL?
Advertisement
Answer
Use a prepared statement rather than concatenation, which is vulnerable to SQL Injection, by creating an auxiliary list(row) to append the each processed member of the tuples coming from the cursor, and prefer using executemany rather than execute as being more performant such as
row=[]
for i in cursor.execute("SELECT col1, col2 FROM db_table"):
cleanheader = cleanhtml(str(i[0]))
cleanbody = cleanhtml(str(i[1]))
row.append((cleanheader,cleanbody),)
for i in row:
cursor.executemany('INSERT INTO db_new_table VALUES(?,?)',([i]))
con.commit()
con.close