问题描述

我觉得这是一个愚蠢的问题，但是我什么都找不到。

i feel like this is a stupid question but i can't find anything anywhere.

我想使用psycopg2建立一个SQL查询，用户可以在其中指定排序方式/按列排序。客户端在它的javascript网格中提供数据的排序/分页等。

I want to build an SQL query using psycopg2 where the user specifies the sort / order by column.. client-side its a javascript grid of data offering sorting / paging etc.

常规替换操作不起作用：（请注意E'xx '）

normal substitution practice doesn't work: (note the E'xx')

cur.mogrify('select * from table offset %s limit %s order by %s', [0,5,'sort_column'])
>>> "select * from table offset 0 limit 5 order by E'sort_column'"

缺少清洗/替换功能我自己的order by子句，推荐的操作方式是什么？

short of cleansing / substituting the order by clause in myself, what is the recommended way to do this ?

是一个重复项：

？

am i a duplicate of:psycopg2 E' on table, field and schema?

欢呼

-i

推荐答案

实体名称（如表/列等）在Python的DBAPI中不应通过任何占位符处理来运行，因为变量应该如此。您将必须进行自己的格式化：

Entity names (tables/columns etc...) in Python's DBAPI shouldn't be run through any place holder processing as variables are supposed to be. You will have to do your own formatting:

'select * from table offset %s limit %s order by %s' % (0,5,'sort_column')

但是请对<$使用正确的转义/占位符功能c $ c> WHERE var =％s 等等...

这篇关于从python / postgresql / psycopg2中的用户输入安全地指定'order by'子句的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！