Executing "SELECT ... WHERE ... IN ..." using MySQLdb

python mysql

Unfortunately, you need to manually construct the query parameters, because as far as I know, there is no built-in bind method for binding a list to an IN clause, similar to Hibernate's setParameterList(). However, you can accomplish the same with the following:

Python 3:

args=['A', 'C']
sql='SELECT fooid FROM foo WHERE bar IN (%s)' 
in_p=', '.join(list(map(lambda x: '%s', args)))
sql = sql % in_p
cursor.execute(sql, args)

Python 2:

args=['A', 'C']
sql='SELECT fooid FROM foo WHERE bar IN (%s)' 
in_p=', '.join(map(lambda x: '%s', args))
sql = sql % in_p
cursor.execute(sql, args)

Here is a similar solution which I think is more efficient in building up the list of %s strings in the SQL:

Use the list_of_ids directly:

format_strings = ','.join(['%s'] * len(list_of_ids))
cursor.execute("DELETE FROM foo.bar WHERE baz IN (%s)" % format_strings,
                tuple(list_of_ids))

That way you avoid having to quote yourself, and avoid all kinds of sql injection.

Note that the data (list_of_ids) is going directly to mysql's driver, as a parameter (not in the query text) so there is no injection. You can leave any chars you want in the string, no need to remove or quote chars.

Related

Is there a way to replenish a keep's health?
Is it possible to always smash the big prize Piñata in Plants vs Zombies 2
Filter the elements of a map based on a subset of its keys without iterating through the entire thing
What are historical entries?
How do I help my branded Uruk captain bully Uruk soldiers into joining him?
Are there special rewards for the temporary Hexakill gamemode?
Is thare a way to farm turtle shells?
How long do the bonuses from Focus Spirit last?
How do I play against Handlock?
Does the 'Recruit Defectors' Covert Op Mission cause the victim civ to lose units?
How do I get map coordinates in Far Cry 4
What has been removed from the Austrian "low violence" version of South Park - Stick of Truth?