1

In PgAdmin, I can do the following query successfully:

select * from "Faces" where "Face_Name" = 'Alex'

However, when I try to do the exact same query in python, I get endless syntax errors. I am trying to write the line like this:

cursor.execute('SELECT * from "Faces" where ("Face_Name" = 'Alex')

I understand the table and column names need to be in double quotes, and the whole query needs to be in single quotes. Also seems the string (in this case 'Alex') that I am searching for needs to be in single quotes.

How do I put all this together into a single line?

Improve this question
2
  • The database I am using is Postgresql 12 Commented Jul 17, 2020 at 5:53
  • what errors are you getting? Commented Jul 17, 2020 at 5:54

2 Answers 2

Reset to default
1

Assuming you did need to escape the table and column names, you could use double quotes. In that case, just escape the double quotes inside the Python SQL string:

sql = "SELECT * FROM \"Faces\" WHERE \"Face_Name\" = 'Alex'"
cursor.execute(sql)
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I think the first part of your answer is misleading: if the double quotes were unnecessary, the query wouldn't work with quotes in pgAdmin. The second part of your answer is fine.
@LaurenzAlbe Are you saying that placing double quotes around a DB object name is invalid unless that object name must be escaped?
The double quotes are mandatory if the table name actually has upper-case letters (that is, if the CREATE TABLE command used double quotes). By default, without the double quotes, PostgreSQL turns everything lower-case, but that doesn't appear to be the case here.
@sabik That's not the only reason to use double quotes. The object name might also be a reserved keyword, etc.
Sure, but neither "Faces" nor "Face_Name" is in fact a keyword, or contains spaces or other special characters; they need to be quoted because of the upper-case letters.
|
1

There are two issues here:

  • As others already wrote, you need to be careful not to mix up the Python and SQL quotes; depending on the field name you may need to have both in the query, and either escape one of them or use """ for the Python string.
  • If the name "Alex" comes from a variable in Python, rather than being a constant, you should use a placeholder and pass it separately. This will help avoid security problems (SQL Injection) and is a good habit to get into whether or not it's required in this particular case.

Putting these together, the query should be:

cursor.execute('SELECT * from "Faces" where "Face_Name" = %s', ('Alex',))
Improve this answer

3 Comments

No need for a prepared statement if the value 'Alex' happens to come internally from the application, and does not come from the outside.
It's a good idea to get into the habit... and presumably this is the first iteration of code which will eventually handle other names.
Reasoning added to the answer; even a vetted, trusted, fully-internal list of names will sooner or later contain someone named "O'Brien".

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.