Script Development / SQL Construction DFF.SQL
Using DFF.SQL(...) can conveniently generate dynamic SQL statements, avoiding SQL injection issues caused by manual SQL concatenation.
| Parameter |
Type |
Required / Default Value |
Description |
sql |
str |
Required |
SQL statement, may include parameter placeholders.
? represents an escaped parameter;
?? represents an unescaped parameter. |
sql_params |
list |
None |
SQL parameters |
Most SQL-based connectors already have this feature built-in
For most objects created via DFF.CONN(...), which operate on SQL-based connectors, this functionality is already built-in and can be used directly.
You can directly use conn.query(sql, sql_params) without needing to call this method separately.
This method is mainly used for debugging SQL statements, allowing you to observe the actual executed SQL using print(...).
| Example |
|---|
| sql = 'SELECT * FROM ?? WHERE id = ?'
sql_params = [ 'users', 'user-001' ]
print(DFF.SQL(sql, sql_params))
|
| Example Output |
|---|
| SELECT * FROM users WHERE id = 'user-001'
|
Parameter Expansion
To facilitate the generation of dynamic SQL, this method will expand parameters based on the type of values in sql_params.
It allows users to package an uncertain number of items as a single parameter, which the system will automatically expand.
When using this, you can fill in arrays or lists for specific parameter placeholders, such as:
Array Expansion
Parameters that are arrays will automatically expand into the following form:
| Array Parameter Expansion |
|---|
| |
| Example 1 |
|---|
| sql = 'SELECT * FROM ?? WHERE status IN (?)'
sql_params = [
# Corresponds to the first placeholder ??
'demo',
# Corresponds to the second placeholder ?, with array value, automatically expands into multiple values
[ 'error', 'warning' ]
]
result = db.query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| SELECT * FROM demo WHERE status IN ('error', 'warning')
|
For parameters that are arrays whose elements are also arrays, a two-level expansion will occur in the following form:
| Two-Dimensional Array Parameter Expansion |
|---|
| (p1_1, p1_2, p1_3, ...), (p2_1, p2_2, p2_3, ...), (p3_1, p3_2, p3_3, ...), ...`.
|
| Example 2 |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? (id, name, value) VALUES ?'
sql_params = [
# Corresponds to the first placeholder ??
'demo',
# Corresponds to the second placeholder ?, with array value, automatically expands into multiple values (i.e., multiple database records)
[
# Elements within the array value are still arrays, continuing automatic expansion (i.e., multiple fields per record)
[ 1, 'zhang3', 100 ],
[ 1, 'li4', 200 ],
]
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo (id, name, value) VALUES (1, 'zhang3', 100), (1, 'li4', 200)
|
Dictionary Expansion
| Example |
|---|
1
2
3
4
5
6
7
8
9
10
11
12
13 | sql = 'INSERT INTO ?? SET ?'
sql_params = [
# Corresponds to the first placeholder ??
'demo',
# Corresponds to the second placeholder ?, dictionary automatically expands into multiple assignment syntaxes
{
'id' : 1,
'name' : 'zhang3',
'value': 100,
}
]
effected_rows = db.non_query(sql, sql_params=sql_params)
|
| Actual Executed SQL |
|---|
| INSERT INTO demo SET id = 1, name = 'zhang3', value = 100
|