Script Development / SQL Construction DFF.SQL
Using DFF.SQL(...) can conveniently generate dynamic SQL statements, avoiding SQL injection issues caused by manual SQL concatenation.
| Parameter |
Type |
Required / Default Value |
Description |
sql |
str |
Required |
SQL statement, may include parameter placeholders.
? indicates an escaped parameter;
?? indicates a non-escaped parameter. |
sql_params |
list |
None |
SQL parameters |
Most SQL connectors have this feature built-in
Most operation objects of SQL connectors created via DFF.CONN(...) already have this feature built-in and can be used directly.
You can directly use conn.query(sql, sql_params) without calling this method separately.
This method is mainly used for debugging SQL statements, observing the actual executed SQL through print(...).
| Example |
|---|
| sql = 'SELECT * FROM ?? WHERE id = ?'
sql_params = [ 'users', 'user-001' ]
print(DFF.SQL(sql, sql_params))
|
| Example Output |
|---|
| SELECT * FROM users WHERE id = 'user-001'
|
Parameter Expansion
To facilitate the generation of dynamic SQL, this method will expand parameters based on the type of values in sql_params.
It allows users to pass an uncertain number of contents as a single parameter, which will be automatically expanded by the system.
When using it, you can fill in arrays or lists for certain parameter placeholders, such as:
Array Expansion
Parameters that are arrays will automatically expand into the following form:
| Array Parameter Expansion |
|---|
| |
| Example 1 |
|---|
| sql = 'SELECT * FROM ?? WHERE status IN (?)'
sql_params = [
# Corresponding to the first placeholder ??
'demo',
# Corresponding to the second placeholder ?, parameter value is an array, automatically expands into multiple values.
[ 'error', 'warning' ]
]
result = db.query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| SELECT * FROM demo WHERE status IN ('error', 'warning')
|
If the parameter is an array whose elements are also arrays, it will automatically perform two-level expansion into the following form:
| Two-Dimensional Array Parameter Expansion |
|---|
| (p1_1, p1_2, p1_3, ...), (p2_1, p2_2, p2_3, ...), (p3_1, p3_2, p3_3, ...), ...`.
|
| Example 2 |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? (id, name, value) VALUES ?'
sql_params = [
# Corresponding to the first placeholder ??
'demo',
# Corresponding to the second placeholder ?, parameter value is an array, automatically expands into multiple values (i.e., multiple database records).
[
# Elements within the parameter value array are still arrays, automatically continue expanding (i.e., multiple fields for each database record).
[ 1, 'zhang3', 100 ],
[ 1, 'li4', 200 ],
]
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo (id, name, value) VALUES (1, 'zhang3', 100), (1, 'li4', 200)
|
Dictionary Expansion
| Example |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? SET ?'
sql_params = [
# Corresponding to the first placeholder ??
'demo',
# Corresponding to the second placeholder ?, dictionaries automatically expand into multiple assignment syntaxes.
{
'id' : 1,
'name' : 'zhang3',
'value': 100,
}
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo SET id = 1, name = 'zhang3', value = 100
|