| Issue 99: | Substitution possibilities | |
| 1 person starred this issue and may be notified of changes. | Back to list |
What steps will reproduce the problem?
1. execute a sql statement substituting column names and values
2.
3.
What is the expected output? What do you see instead?
Expect substitution will work anywhere in query string
What version of the product are you using? On what operating system?
Latest version as of 28 May 2010, on Windows XP
Please provide any additional information below.
I have an application that reads both the column names and values from a
file. I would like to be able to do something this:
conn = pyodbc.connect(...)
curs = conn.cursor()
columns = ('A', 'B', 'C) # Normally read from a file
values = (1, 2, 3) # Normally read from a file
curs.execute('insert into foo (?, ?, ?) values (?, ?, ?)', columns +
values)
However, it appears that the '?' substitution only works for values, since
I get an error message when I try this.
May 28, 2010
Project Member
#1
mkleehammer
Status:
WontFix
May 28, 2010
Yes, I understand that the SQL is not being modified, but the parameters are supplied for the question marks as needed. Since I do not know the order the columns will be in the file I am using to build insert statements, I am unable to pass them on the insert statement. The file itself is CSV and the field names are in the first line. That is why I would like to be able to pass the column names as parameters using the question-mark substitution scheme. I am also worried about injection attacks, which is just the reason I would like to do things this way. Currently I am building the insert statement dynamically using the field names read from the file, hence the risk. |