Add variable columns to INSERT statement












1












$begingroup$


I'm learning SQL using python library pymysql.



I wanted to make an INSERT statement that will update 3, 5 or 10 columns using the same code by just passing the Database name, the Columns name and the Values.



Thus I made this:



def insert_statement(db,cols,values):
separator = ","
separator.join(cols)
statement = "INSERT INTO " + db + " (" + separator.join(cols) + ") VALUES ("
aux =
for i in range(0,len(values)):
aux.append("%s")

statement = statement + separator.join(aux) + ")"
print (statement)
return statement


Passing the values, the function produces:



>>>INSERT INTO Publicaciones (item_id,title,price) VALUES (%s,%s,%s)


Which works but, is it there a more pythonic way?










share|improve this question









New contributor




Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







$endgroup$

















    1












    $begingroup$


    I'm learning SQL using python library pymysql.



    I wanted to make an INSERT statement that will update 3, 5 or 10 columns using the same code by just passing the Database name, the Columns name and the Values.



    Thus I made this:



    def insert_statement(db,cols,values):
    separator = ","
    separator.join(cols)
    statement = "INSERT INTO " + db + " (" + separator.join(cols) + ") VALUES ("
    aux =
    for i in range(0,len(values)):
    aux.append("%s")

    statement = statement + separator.join(aux) + ")"
    print (statement)
    return statement


    Passing the values, the function produces:



    >>>INSERT INTO Publicaciones (item_id,title,price) VALUES (%s,%s,%s)


    Which works but, is it there a more pythonic way?










    share|improve this question









    New contributor




    Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.







    $endgroup$















      1












      1








      1





      $begingroup$


      I'm learning SQL using python library pymysql.



      I wanted to make an INSERT statement that will update 3, 5 or 10 columns using the same code by just passing the Database name, the Columns name and the Values.



      Thus I made this:



      def insert_statement(db,cols,values):
      separator = ","
      separator.join(cols)
      statement = "INSERT INTO " + db + " (" + separator.join(cols) + ") VALUES ("
      aux =
      for i in range(0,len(values)):
      aux.append("%s")

      statement = statement + separator.join(aux) + ")"
      print (statement)
      return statement


      Passing the values, the function produces:



      >>>INSERT INTO Publicaciones (item_id,title,price) VALUES (%s,%s,%s)


      Which works but, is it there a more pythonic way?










      share|improve this question









      New contributor




      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.







      $endgroup$




      I'm learning SQL using python library pymysql.



      I wanted to make an INSERT statement that will update 3, 5 or 10 columns using the same code by just passing the Database name, the Columns name and the Values.



      Thus I made this:



      def insert_statement(db,cols,values):
      separator = ","
      separator.join(cols)
      statement = "INSERT INTO " + db + " (" + separator.join(cols) + ") VALUES ("
      aux =
      for i in range(0,len(values)):
      aux.append("%s")

      statement = statement + separator.join(aux) + ")"
      print (statement)
      return statement


      Passing the values, the function produces:



      >>>INSERT INTO Publicaciones (item_id,title,price) VALUES (%s,%s,%s)


      Which works but, is it there a more pythonic way?







      python python-3.x sql






      share|improve this question









      New contributor




      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 2 days ago









      Ludisposed

      7,32421959




      7,32421959






      New contributor




      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 2 days ago









      Nahuel Varela BlancoNahuel Varela Blanco

      83




      83




      New contributor




      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Nahuel Varela Blanco is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          2 Answers
          2






          active

          oldest

          votes


















          2












          $begingroup$

          You’re not using values except for its length. But this should be the same length than cols, so use that instead.



          You also don't need a for-loop to build a list with the same element N times, list multiplication can handle that just fine.



          Lastly, I would use f-strings or at least str.format instead of string concatenation, it is prettyier.



          def insert_statement(db, columns):
          column_names = ', '.join(columns)
          placeholders = ', '.join(['%s'] * len(columns))
          return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


          Usage:



          >>> insert_statement('Publicationes', ['item_id', 'title', 'price'])
          'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'


          Depending on your calling site, you can also make columns a variable length argument, it may be easier to use:



          def insert_statement(db, *columns):
          column_names = ', '.join(columns)
          placeholders = ', '.join(['%s'] * len(columns))
          return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


          Usage:



          >>> insert_statement('Publicationes', 'item_id', 'title', 'price')
          'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'




          But you should limit yourself to only use this function using trusted input. If anything comming from a user enters here, this is a vulnerability waiting to happen:



          >>> user_input = "price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :"
          >>> insert_statement('Publicationes', 'item_id', 'title', user_input)
          "INSERT INTO Publicationes (item_id, title, price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :) VALUES (%s, %s, %s)"





          share|improve this answer











          $endgroup$













          • $begingroup$
            Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
            $endgroup$
            – Nahuel Varela Blanco
            2 days ago



















          1












          $begingroup$

          SQL Injections



          Even though you are having these proper placeholders for values, your code is still vulnerable to SQL Injection attacks as table and column names are not properly sanitized.



          As table and column names cannot be parameterized the usual way, you could validate them separately. For instance, you could check that the table and column names are simply valid MySQL identifiers:




          • Python MySQL parameter queries for dynamic table names




          Object Relational Mappers



          As I understand the purpose of the task is to learn how to interact with the MySQL database via Python MySQL database driver, but, in general, this kind of problems are already solved by different abstraction layer libraries or commonly called ORMs (Object Relational Mappers) like SQLAlchemy, Peewee or PonyORM) which provide an extra Python layer around Python-to-database communication allowing you to basically write SQL queries in Python.






          share|improve this answer











          $endgroup$













            Your Answer





            StackExchange.ifUsing("editor", function () {
            return StackExchange.using("mathjaxEditing", function () {
            StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
            StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
            });
            });
            }, "mathjax-editing");

            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "196"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });






            Nahuel Varela Blanco is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f211617%2fadd-variable-columns-to-insert-statement%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2












            $begingroup$

            You’re not using values except for its length. But this should be the same length than cols, so use that instead.



            You also don't need a for-loop to build a list with the same element N times, list multiplication can handle that just fine.



            Lastly, I would use f-strings or at least str.format instead of string concatenation, it is prettyier.



            def insert_statement(db, columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', ['item_id', 'title', 'price'])
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'


            Depending on your calling site, you can also make columns a variable length argument, it may be easier to use:



            def insert_statement(db, *columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', 'item_id', 'title', 'price')
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'




            But you should limit yourself to only use this function using trusted input. If anything comming from a user enters here, this is a vulnerability waiting to happen:



            >>> user_input = "price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :"
            >>> insert_statement('Publicationes', 'item_id', 'title', user_input)
            "INSERT INTO Publicationes (item_id, title, price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :) VALUES (%s, %s, %s)"





            share|improve this answer











            $endgroup$













            • $begingroup$
              Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
              $endgroup$
              – Nahuel Varela Blanco
              2 days ago
















            2












            $begingroup$

            You’re not using values except for its length. But this should be the same length than cols, so use that instead.



            You also don't need a for-loop to build a list with the same element N times, list multiplication can handle that just fine.



            Lastly, I would use f-strings or at least str.format instead of string concatenation, it is prettyier.



            def insert_statement(db, columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', ['item_id', 'title', 'price'])
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'


            Depending on your calling site, you can also make columns a variable length argument, it may be easier to use:



            def insert_statement(db, *columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', 'item_id', 'title', 'price')
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'




            But you should limit yourself to only use this function using trusted input. If anything comming from a user enters here, this is a vulnerability waiting to happen:



            >>> user_input = "price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :"
            >>> insert_statement('Publicationes', 'item_id', 'title', user_input)
            "INSERT INTO Publicationes (item_id, title, price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :) VALUES (%s, %s, %s)"





            share|improve this answer











            $endgroup$













            • $begingroup$
              Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
              $endgroup$
              – Nahuel Varela Blanco
              2 days ago














            2












            2








            2





            $begingroup$

            You’re not using values except for its length. But this should be the same length than cols, so use that instead.



            You also don't need a for-loop to build a list with the same element N times, list multiplication can handle that just fine.



            Lastly, I would use f-strings or at least str.format instead of string concatenation, it is prettyier.



            def insert_statement(db, columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', ['item_id', 'title', 'price'])
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'


            Depending on your calling site, you can also make columns a variable length argument, it may be easier to use:



            def insert_statement(db, *columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', 'item_id', 'title', 'price')
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'




            But you should limit yourself to only use this function using trusted input. If anything comming from a user enters here, this is a vulnerability waiting to happen:



            >>> user_input = "price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :"
            >>> insert_statement('Publicationes', 'item_id', 'title', user_input)
            "INSERT INTO Publicationes (item_id, title, price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :) VALUES (%s, %s, %s)"





            share|improve this answer











            $endgroup$



            You’re not using values except for its length. But this should be the same length than cols, so use that instead.



            You also don't need a for-loop to build a list with the same element N times, list multiplication can handle that just fine.



            Lastly, I would use f-strings or at least str.format instead of string concatenation, it is prettyier.



            def insert_statement(db, columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', ['item_id', 'title', 'price'])
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'


            Depending on your calling site, you can also make columns a variable length argument, it may be easier to use:



            def insert_statement(db, *columns):
            column_names = ', '.join(columns)
            placeholders = ', '.join(['%s'] * len(columns))
            return f'INSERT INTO {db} ({column_names}) VALUES ({placeholders})'


            Usage:



            >>> insert_statement('Publicationes', 'item_id', 'title', 'price')
            'INSERT INTO Publicationes (item_id,title,price) VALUES (%s,%s,%s)'




            But you should limit yourself to only use this function using trusted input. If anything comming from a user enters here, this is a vulnerability waiting to happen:



            >>> user_input = "price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :"
            >>> insert_statement('Publicationes', 'item_id', 'title', user_input)
            "INSERT INTO Publicationes (item_id, title, price) VALUES (42, 'foobar', 0.00); DROP TABLE Publicationes; -- Now this a vulnerability in disguise :) VALUES (%s, %s, %s)"






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 days ago

























            answered 2 days ago









            Mathias EttingerMathias Ettinger

            24.1k33183




            24.1k33183












            • $begingroup$
              Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
              $endgroup$
              – Nahuel Varela Blanco
              2 days ago


















            • $begingroup$
              Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
              $endgroup$
              – Nahuel Varela Blanco
              2 days ago
















            $begingroup$
            Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
            $endgroup$
            – Nahuel Varela Blanco
            2 days ago




            $begingroup$
            Yes! This was exactly what I was looking for. Thank you for all the information. And yes, this function will only be run by my server code without interaction with an user.
            $endgroup$
            – Nahuel Varela Blanco
            2 days ago













            1












            $begingroup$

            SQL Injections



            Even though you are having these proper placeholders for values, your code is still vulnerable to SQL Injection attacks as table and column names are not properly sanitized.



            As table and column names cannot be parameterized the usual way, you could validate them separately. For instance, you could check that the table and column names are simply valid MySQL identifiers:




            • Python MySQL parameter queries for dynamic table names




            Object Relational Mappers



            As I understand the purpose of the task is to learn how to interact with the MySQL database via Python MySQL database driver, but, in general, this kind of problems are already solved by different abstraction layer libraries or commonly called ORMs (Object Relational Mappers) like SQLAlchemy, Peewee or PonyORM) which provide an extra Python layer around Python-to-database communication allowing you to basically write SQL queries in Python.






            share|improve this answer











            $endgroup$


















              1












              $begingroup$

              SQL Injections



              Even though you are having these proper placeholders for values, your code is still vulnerable to SQL Injection attacks as table and column names are not properly sanitized.



              As table and column names cannot be parameterized the usual way, you could validate them separately. For instance, you could check that the table and column names are simply valid MySQL identifiers:




              • Python MySQL parameter queries for dynamic table names




              Object Relational Mappers



              As I understand the purpose of the task is to learn how to interact with the MySQL database via Python MySQL database driver, but, in general, this kind of problems are already solved by different abstraction layer libraries or commonly called ORMs (Object Relational Mappers) like SQLAlchemy, Peewee or PonyORM) which provide an extra Python layer around Python-to-database communication allowing you to basically write SQL queries in Python.






              share|improve this answer











              $endgroup$
















                1












                1








                1





                $begingroup$

                SQL Injections



                Even though you are having these proper placeholders for values, your code is still vulnerable to SQL Injection attacks as table and column names are not properly sanitized.



                As table and column names cannot be parameterized the usual way, you could validate them separately. For instance, you could check that the table and column names are simply valid MySQL identifiers:




                • Python MySQL parameter queries for dynamic table names




                Object Relational Mappers



                As I understand the purpose of the task is to learn how to interact with the MySQL database via Python MySQL database driver, but, in general, this kind of problems are already solved by different abstraction layer libraries or commonly called ORMs (Object Relational Mappers) like SQLAlchemy, Peewee or PonyORM) which provide an extra Python layer around Python-to-database communication allowing you to basically write SQL queries in Python.






                share|improve this answer











                $endgroup$



                SQL Injections



                Even though you are having these proper placeholders for values, your code is still vulnerable to SQL Injection attacks as table and column names are not properly sanitized.



                As table and column names cannot be parameterized the usual way, you could validate them separately. For instance, you could check that the table and column names are simply valid MySQL identifiers:




                • Python MySQL parameter queries for dynamic table names




                Object Relational Mappers



                As I understand the purpose of the task is to learn how to interact with the MySQL database via Python MySQL database driver, but, in general, this kind of problems are already solved by different abstraction layer libraries or commonly called ORMs (Object Relational Mappers) like SQLAlchemy, Peewee or PonyORM) which provide an extra Python layer around Python-to-database communication allowing you to basically write SQL queries in Python.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 days ago

























                answered 2 days ago









                alecxealecxe

                15.1k53478




                15.1k53478






















                    Nahuel Varela Blanco is a new contributor. Be nice, and check out our Code of Conduct.










                    draft saved

                    draft discarded


















                    Nahuel Varela Blanco is a new contributor. Be nice, and check out our Code of Conduct.













                    Nahuel Varela Blanco is a new contributor. Be nice, and check out our Code of Conduct.












                    Nahuel Varela Blanco is a new contributor. Be nice, and check out our Code of Conduct.
















                    Thanks for contributing an answer to Code Review Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f211617%2fadd-variable-columns-to-insert-statement%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    RAC Tourist Trophy