Script Development / SQL Construction DFF.SQL
Using DFF.SQL(...) can conveniently generate dynamic SQL statements, avoiding SQL injection issues caused by manual SQL concatenation.
| Parameter |
Type |
Required / Default |
Description |
sql |
str |
Required |
SQL statement, which can include parameter placeholders.
? represents a parameter that needs escaping;
?? represents a parameter that does not need escaping |
sql_params |
list |
None |
SQL parameters |
Most SQL Connectors have this feature built-in
Most SQL Connectors created via DFF.CONN(...) already have this feature built-in and can be used directly.
You can directly use conn.query(sql, sql_params) without separately calling this method.
This method is mainly used for convenient DEBUG of SQL statements, allowing observation of the actual executed SQL statement via print(...).
| Example |
|---|
| sql = 'SELECT * FROM ?? WHERE id = ?'
sql_params = [ 'users', 'user-001' ]
print(DFF.SQL(sql, sql_params))
|
| Example Output |
|---|
| SELECT * FROM users WHERE id = 'user-001'
|
Parameter Expansion
To facilitate the generation of dynamic SQL, this method will expand parameters based on the value types in sql_params.
It allows users to package an uncertain number of contents as a parameter, which the system will automatically expand.
When using, you can pass an array or array for a parameter placeholder, such as:
Array Expansion
Parameters that are arrays will be automatically expanded as follows:
| Array Parameter Expansion |
|---|
| |
| Example 1 |
|---|
| sql = 'SELECT * FROM ?? WHERE status IN (?)'
sql_params = [
# Corresponds to the first parameter placeholder ??
'demo',
# Corresponds to the second parameter placeholder ?, parameter value is an array, automatically expanded into multiple values
[ 'error', 'warning' ]
]
result = db.query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| SELECT * FROM demo WHERE status IN ('error', 'warning')
|
Parameters that are arrays and whose elements are also arrays will be automatically expanded into two levels as follows:
| Two-dimensional Array Parameter Expansion |
|---|
| (p1_1, p1_2, p1_3, ...), (p2_1, p2_2, p2_3, ...), (p3_1, p3_2, p3_3, ...), ...`.
|
| Example 2 |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? (id, name, value) VALUES ?'
sql_params = [
# Corresponds to the first parameter placeholder ??
'demo',
# Corresponds to the second parameter placeholder ?, parameter value is an array, automatically expanded into multiple values (i.e., multiple database records)
[
# Elements within the parameter value array are also arrays, automatically expanded further (i.e., multiple fields of each database record)
[ 1, 'zhang3', 100 ],
[ 1, 'li4', 200 ],
]
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo (id, name, value) VALUES (1, 'zhang3', 100), (1, 'li4', 200)
|
Dictionary Expansion
| Example |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? SET ?'
sql_params = [
# Corresponds to the first parameter placeholder ??
'demo',
# Corresponds to the second parameter placeholder ?, dictionary automatically expanded into multiple assignment syntaxes
{
'id' : 1,
'name' : 'zhang3',
'value': 100,
}
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo SET id = 1, name = 'zhang3', value = 100
|