How to remove the quotes from a string for SQL query in Python?

Question

I have a dictionary of database names. I take a name from the dictionary

database_name = database_dict[i]

lets say the value for database_name is 'foo'

Using Psycopg2 I am executing a statement:

cur.execute("INSERT INTO %s VALUES(...);", database_name)

I get A syntax error at foo, because it should be "INSERT INTO foo VALUES" not "INSERT INTO 'foo' VALUES"

Any advice how to pass in a string value for the name of the table and removing the single quotes? Should I place an escape character inside my database dictionary values?

EDIT: Something closer is here: How do I remove single quotes from a table in postgresql?

but I could not get it to work using REMOVE. It gave a syntax error at the single quote inside the remove statement.

Identifiers (such as table and column names) use double quotes in standard SQL (and PostgreSQL) so you need to use an identifier-specific quoting method. AFAIK this means quote_ident and string concatenation but I don't know enough Python or Psycopg2 to be sure of the best/right way. — mu is too short, Commented May 9, 2017 at 19:02
Is the value in database_dict[i] 'foo' or foo? Where are the quotes coming from? — Schwern, Commented May 9, 2017 at 22:57

James Dewes · Accepted Answer · 2023-05-16 14:15:53Z

22

from psycopg2.extensions import AsIs
cur.execute("INSERT INTO %s VALUES(...);", AsIs(database_name))

https://www.psycopg.org/docs/extensions.html#psycopg2.extensions.AsIs

BTW that is not a database name, it is a table name.

edited May 16, 2023 at 14:15

James Dewes

3874 silver badges24 bronze badges

answered May 9, 2017 at 22:30

Clodoaldo Neto

123k28 gold badges243 silver badges268 bronze badges

I believe AsIs(quote_ident(database_name)) would be the complete answer to avoid the possibility of a SQL injection attack.
– Schwern
Commented May 9, 2017 at 23:01
Using AsIs() is the correct answer, and should be accepted.
– cacois
Commented Aug 13, 2021 at 14:35

Add a comment |

Parfait · Accepted Answer · 2017-05-09 23:46:54Z

11

The structural components of an SQL query such as table and field names cannot be parameterized as you attempt in second argument of cursor.execute(query, params). Only numeric/literal data values can be parameterized.

Consider interpolating the database_name variable into the SQL query string but do so safely with psycopg2's sqlIdentifier() with str.format:

from psycopg2 import sql
...

cur.execute(sql.SQL('INSERT INTO {} VALUES(...)').format(sql.Identifier(database_name)))

Valid parameterizaiton in your case would be to bind the data values passed in the VALUES(...) in append query such as VALUES(%s, %s, %s). Alternatively in other queries:

"SELECT %s AS NewColumn..."

"...WHERE fieldname = %s OR otherfield IN (%s, %s, %s)"

"...HAVING Max(NumColumn) >= %s"

edited May 9, 2017 at 23:46

answered May 9, 2017 at 21:01

Parfait

107k19 gold badges98 silver badges131 bronze badges

Direct interpolation without escaping the database_name invites a SQL injection attack.
– Schwern
Commented May 9, 2017 at 22:44
By using .format, I was able to overcome this limitation. Thank you @Parfait
– Steve Scott
Commented May 9, 2017 at 22:55
There is no risk of SQL injection because there are no fields to fill out in my application.
– Steve Scott
Commented May 9, 2017 at 22:56
@SteveScott The unquoted, unescaped database_name itself is the risk. It should be run through quote_ident if you're going to build a SQL query with string methods like .format.
– Schwern
Commented May 9, 2017 at 22:58
1

Indeed, thanks to @Schwern pyscopg2 has the sql.Identifier() method to separate the string and variable parts of query for safe interpolation for identifiers. See edit.
– Parfait
Commented May 9, 2017 at 23:44

| Show 2 more comments

Schwern · Accepted Answer · 2017-05-09 23:00:06Z

Note: I haven't use psycopg2, this is based on what I know from similar database libraries.

A table name is an identifier and they get quoted and escaped differently than values. I believe you should use psycopg2.extensions.quote_ident(str, scope) to quote and escape it. I believe it uses the PostgreSQL function PQescapeIdentifier().

PQescapeIdentifier escapes a string for use as an SQL identifier, such as a table, column, or function name. This is useful when a user-supplied identifier might contain special characters that would otherwise not be interpreted as part of the identifier by the SQL parser, or when the identifier might contain upper case characters whose case should be preserved.

Then it will be quoted and escaped and can be safely added to the SQL string using normal string operations without risking a SQL injection attack, or using AsIs(quote_ident(database_name)) as a value to .execute.

Laurent LAPORTE · Accepted Answer · 2017-05-09 18:25:24Z

-2

If fact, database_name is "'foo'".

To drop the single quote:

database_name = database_name.replace("'", "")

answered May 9, 2017 at 18:25

Laurent LAPORTE

22.7k6 gold badges63 silver badges109 bronze badges

That is not correct. My value is a string. I cannot insert a string into the SQL statement without the single quotes. Your suggestion did not work.
– Steve Scott
Commented May 9, 2017 at 18:56
Right, %s wraps it in single quotes, but I cannot have quotes in the SQL statement.
– Steve Scott
Commented May 9, 2017 at 19:13

Add a comment |

Collectives™ on Stack Overflow

How to remove the quotes from a string for SQL query in Python?

4 Answers 4

Not the answer you're looking for? Browse other questions tagged
python
sql
postgresql
psycopg2
or ask your own question.

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Not the answer you're looking for? Browse other questions tagged pythonsqlpostgresqlpsycopg2 or ask your own question.

Linked

Related

Not the answer you're looking for? Browse other questions tagged
python
sql
postgresql
psycopg2
or ask your own question.