Just getting back to this after a week.
Massimo, the syntax you provided for the case indicated does indeed
work. Thanks. Now I'm trying a variation of that case - adding an
AND to the WHERE - and can't seem to get the syntax quite right
(again).
For the record, this is the case that works...
rows=db.executesql('SELECT ... \
FROM ... \
WHERE table1.column = %s;' % sanitize
(session.mysession1,'string','sqlite'))
... and this is the variation that's giving me trouble...
rows=db.executesql('SELECT ... \
FROM ... \
WHERE table1.column = %s % sanitize
(session.mysession1,'string','sqlite') \
AND table2.column = %s;' % sanitize
(session.mysession2,'string','sqlite'))
Above is one way I tried dealing with it, with no luck. I tried some
other things too, like one sanitize() at the end with multiple
arguments. Also, no luck.
Any assistance is appreciated.
On Mar 30, 10:03 am, mdipierro <[email protected]> wrote:
> On Mar 30, 8:51 am, ctalley <[email protected]> wrote:
>
> > Is it possible to use a session variable as a parameter in a SQL
> > "WHERE" clause? See example below.
>
> > #assign value to session variable
> > session.mysession = ...
>
> > #use session variable in web2py DAL query
> > #*this works*
> > rows=db(db.table.column==session.mysession).select(...)
>
> this you can do
>
> > #use session variable in SQL query
> > #*this doesn't work* - 'no such column' error
> > #is there any way to do this?
> > rows=db.executesql('SELECT ...
> > FROM ...
> > WHERE table.column = session.mysession;')
>
> this you can but the syntax has to be different and you have to do in
> a way safe to prevent SQL injections. Should be:
>
> from gluon.sql import sql_represent as sanitize
> rows=db.executesql('SELECT ...
> FROM ...
> WHERE table.column = %s;' % sanitize
> (session.mysession,'string','sqlite') )
>
>
>
> > The obvious answer here is to just use what works (the DAL). However,
> > I have some very complex queries already written in SQL and would
> > rather not have to go to the trouble of morphing them into web2py DAL
> > syntax.
>
> > Thanks.- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
