How to escape quotes in django sql formatting











up vote
0
down vote

favorite












I have the following code:



# looks like: "('tt1098327','tt3819668','tt0049251')", <type 'str'>

ids_as_string = "(-1)" if not ids else ("('" + "','".join(ids).strip("',") + "')")



items = list(Item.objects.raw("""SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s)""", (q, ids_as_string )))


The problem with this is that the sql formatter tries to escape the quotes that I have added in for the tuple:




DatabaseError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''('tt1098327','tt3819668','tt0049251','tt3878722




What would be the correct way to do the above?






python sql django







share|improve this question






















  • can you show what ids is?
    – Jack Herer
    Nov 12 at 1:26












  • what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
    – Jack Herer
    Nov 12 at 1:28












  • why are you joining with a comma and then stripping at the comma again?
    – Jack Herer
    Nov 12 at 1:30












  • Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
    – Daniel Roseman
    Nov 12 at 7:37










  • @DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
    – David L
    Nov 12 at 23:48

















up vote
0
down vote

favorite












I have the following code:



# looks like: "('tt1098327','tt3819668','tt0049251')", <type 'str'>

ids_as_string = "(-1)" if not ids else ("('" + "','".join(ids).strip("',") + "')")



items = list(Item.objects.raw("""SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s)""", (q, ids_as_string )))


The problem with this is that the sql formatter tries to escape the quotes that I have added in for the tuple:




DatabaseError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''('tt1098327','tt3819668','tt0049251','tt3878722




What would be the correct way to do the above?






python sql django







share|improve this question






















  • can you show what ids is?
    – Jack Herer
    Nov 12 at 1:26












  • what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
    – Jack Herer
    Nov 12 at 1:28












  • why are you joining with a comma and then stripping at the comma again?
    – Jack Herer
    Nov 12 at 1:30












  • Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
    – Daniel Roseman
    Nov 12 at 7:37










  • @DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
    – David L
    Nov 12 at 23:48















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have the following code:



# looks like: "('tt1098327','tt3819668','tt0049251')", <type 'str'>

ids_as_string = "(-1)" if not ids else ("('" + "','".join(ids).strip("',") + "')")



items = list(Item.objects.raw("""SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s)""", (q, ids_as_string )))


The problem with this is that the sql formatter tries to escape the quotes that I have added in for the tuple:




DatabaseError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''('tt1098327','tt3819668','tt0049251','tt3878722




What would be the correct way to do the above?






python sql django







share|improve this question













I have the following code:



# looks like: "('tt1098327','tt3819668','tt0049251')", <type 'str'>

ids_as_string = "(-1)" if not ids else ("('" + "','".join(ids).strip("',") + "')")



items = list(Item.objects.raw("""SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s)""", (q, ids_as_string )))


The problem with this is that the sql formatter tries to escape the quotes that I have added in for the tuple:




DatabaseError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''('tt1098327','tt3819668','tt0049251','tt3878722




What would be the correct way to do the above?






python sql django




python sql django






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 11 at 22:56









David L

35310




35310












  • can you show what ids is?
    – Jack Herer
    Nov 12 at 1:26












  • what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
    – Jack Herer
    Nov 12 at 1:28












  • why are you joining with a comma and then stripping at the comma again?
    – Jack Herer
    Nov 12 at 1:30












  • Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
    – Daniel Roseman
    Nov 12 at 7:37










  • @DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
    – David L
    Nov 12 at 23:48




















  • can you show what ids is?
    – Jack Herer
    Nov 12 at 1:26












  • what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
    – Jack Herer
    Nov 12 at 1:28












  • why are you joining with a comma and then stripping at the comma again?
    – Jack Herer
    Nov 12 at 1:30












  • Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
    – Daniel Roseman
    Nov 12 at 7:37










  • @DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
    – David L
    Nov 12 at 23:48


















can you show what ids is?
– Jack Herer
Nov 12 at 1:26






can you show what ids is?
– Jack Herer
Nov 12 at 1:26














what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
– Jack Herer
Nov 12 at 1:28






what exactly are you trying to do? do you want to create a tuple of ids to use as a variable in sql
– Jack Herer
Nov 12 at 1:28














why are you joining with a comma and then stripping at the comma again?
– Jack Herer
Nov 12 at 1:30






why are you joining with a comma and then stripping at the comma again?
– Jack Herer
Nov 12 at 1:30














Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
– Daniel Roseman
Nov 12 at 7:37




Why are you doing this as raw SQL rather than an ORM query, which would take care of all relevant escaping?
– Daniel Roseman
Nov 12 at 7:37












@DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
– David L
Nov 12 at 23:48






@DanielRoseman if you can show me how to do it as a regular ORM query I'm all for it -- note there's also a union in the query (not mentioned above) and two limits applied, so not really a straightforward query.
– David L
Nov 12 at 23:48














1 Answer
1






active

oldest

votes

















up vote
0
down vote













This might be a really stupid approach, but one way would be to combine the two different types of string formatting as follows:



sql = "SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s) LIMIT 20 UNION SELECT * FROM mturk_imdb WHERE name=%s AND (imdb_id NOT IN %s) LIMIT 30" % ('%s', imdb_ids_as_tuple_str, '%s', imdb_ids_as_tuple_str)

items = list(Item.objects.raw(sql, (q, q)))


Where you need the exact unescaped string, you can use %, and where you want to escape user inputted data, you can use the , (params).






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53254077%2fhow-to-escape-quotes-in-django-sql-formatting%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    This might be a really stupid approach, but one way would be to combine the two different types of string formatting as follows:



    sql = "SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s) LIMIT 20 UNION SELECT * FROM mturk_imdb WHERE name=%s AND (imdb_id NOT IN %s) LIMIT 30" % ('%s', imdb_ids_as_tuple_str, '%s', imdb_ids_as_tuple_str)
    
items = list(Item.objects.raw(sql, (q, q)))


    Where you need the exact unescaped string, you can use %, and where you want to escape user inputted data, you can use the , (params).






    share|improve this answer

























      up vote
      0
      down vote













      This might be a really stupid approach, but one way would be to combine the two different types of string formatting as follows:



      sql = "SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s) LIMIT 20 UNION SELECT * FROM mturk_imdb WHERE name=%s AND (imdb_id NOT IN %s) LIMIT 30" % ('%s', imdb_ids_as_tuple_str, '%s', imdb_ids_as_tuple_str)
      
items = list(Item.objects.raw(sql, (q, q)))


      Where you need the exact unescaped string, you can use %, and where you want to escape user inputted data, you can use the , (params).






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        This might be a really stupid approach, but one way would be to combine the two different types of string formatting as follows:



        sql = "SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s) LIMIT 20 UNION SELECT * FROM mturk_imdb WHERE name=%s AND (imdb_id NOT IN %s) LIMIT 30" % ('%s', imdb_ids_as_tuple_str, '%s', imdb_ids_as_tuple_str)
        
items = list(Item.objects.raw(sql, (q, q)))


        Where you need the exact unescaped string, you can use %, and where you want to escape user inputted data, you can use the , (params).






        share|improve this answer












        This might be a really stupid approach, but one way would be to combine the two different types of string formatting as follows:



        sql = "SELECT * FROM mturk_imdb WHERE (MATCH(name) against(%s)) AND (imdb_id NOT IN %s) LIMIT 20 UNION SELECT * FROM mturk_imdb WHERE name=%s AND (imdb_id NOT IN %s) LIMIT 30" % ('%s', imdb_ids_as_tuple_str, '%s', imdb_ids_as_tuple_str)
        
items = list(Item.objects.raw(sql, (q, q)))


        Where you need the exact unescaped string, you can use %, and where you want to escape user inputted data, you can use the , (params).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 11 at 23:02









        David L

        35310




        35310






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53254077%2fhow-to-escape-quotes-in-django-sql-formatting%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            The Sandy Post

            Image
            The Sandy Post From Wikipedia, the free encyclopedia Jump to navigation Jump to search The Sandy Post Type Weekly Newspaper Format Tabloid Owner(s) Community Newspapers/Pamplin Media Group Publisher J. Mark Garber Editor Steve Brown Founded 1937  ( 1937 ) Headquarters Sandy, Oregon Circulation 3,800 Website www.pamplinmedia.com/sandy-post-home/ This article needs additional citations for verification . Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2010) (Learn how and when to remove this template message) The Sandy Post is a weekly newspaper, published in Sandy, Oregon, United States. The paper, founded in 1937, serves the communities of Sandy, Boring, the Villages at Mount Hood and the surrounding areas. The newspaper is owned by Community Newspapers/Pamplin Media Group, a company of ...
            Read more

            Danny Elfman

            Image
            Danny Elfman From Wikipedia, the free encyclopedia Jump to navigation Jump to search Danny Elfman Elfman at the 2010 San Diego Comic-Con Born Daniel Robert Elfman ( 1953-05-29 ) May 29, 1953 (age 65) Los Angeles, California, U.S. Spouse(s) Bridget Fonda ( m.  2003) Children 1 Musical career Genres Rock [1] ska [2] new wave film music video game music Occupation(s) Composer, singer, songwriter, record producer Instruments Trombone guitar percussion vocals keyboards [3] Years active 1972–present Associated acts Oingo Boingo James Newton Howard Daniel Robert Elfman (born May 29, 1953) is an American composer, singer, songwriter, and record producer. Elfman first became known for being the lead singer and songwriter for the band Oingo Boingo from 1974 to 1995. He is well known for scoring films and television shows, particularly his frequent collabora...
            Read more

            Pages that link to "Head v. Amoskeag Manufacturing Co."

            Image
            Help Pages that link to "Head v. Amoskeag Manufacturing Co." ← Head v. Amoskeag Manufacturing Co. Jump to navigation Jump to search What links here Page:   Namespace:  all (Article) Talk User User talk Wikipedia Wikipedia talk File File talk MediaWiki MediaWiki talk Template Template talk Help Help talk Category Category talk Portal Portal talk Book Book talk Draft Draft talk TimedText TimedText talk Module Module talk Gadget Gadget talk Gadget definition Gadget definition talk   Invert selection Filters Hide transclusions | Hide links | Hide redirects The following pages link to Head v. Amoskeag Manufacturing Co. External tools: Show redirects only View (previous 50 | next 50) (20 | 50 | 100 | 250 | 500) Amoskeag Manufacturing Company ‎ (links | edit) List of United States Supreme Court cases by the Waite Court ‎ (links | edit) Talk:Head v. Amoskeag Manuf...
            Read more