I have code like this:
conn = pyodbc.connect(<Connection Details>)
c = conn.cursor()
employee_id=(100,101)
query = "select * from employees where employeeid in ?"
c.execute(query,employee_id)
I am getting this error:
'The SQL contains 1 parameter markers, but 2 parameters were supplied', 'HY000'
Is there any way to pass this parameter? I don't want to create a dynamic array by concatenation.
Is there any way to name the parameter marker inside the query in case of several where conditions?
marc_s
760k186 gold badges1.4k silver badges1.5k bronze badges
1 Answer 1
If I remember correctly, the placeholder is %s and not ?.
Regardless, you can use the format method / string formatting to get the job done:
conn = pyodbc.connect(<Connection Details>)
c = conn.cursor()
employee_id=(100,101)
query = "select * from employees where employee_id in {}"
c.execute(query.format(employee_id))
Sign up to request clarification or add additional context in comments.
4 Comments
Som-1
It's not a secure way to do that. SQL injection is possible with this code.
M Z
To add to what @Som-1 has said, prepared statements exist for a reason
Aditya
@som-1 I understand it is not a secure way. I just wanted to know how it is done in case I want to do it. :)
Som-1
@Aditya check my comment under the question - there is a link to similar question, where similar but more secure code provided: stackoverflow.com/questions/4574609/…
default
?correlates to 1 parameter. You've passed 2 parameters. What do you expect to occur? If you want to do more than 1 query you should run something likeexecutemany, or runexecutremore than 1 time