Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for query parameters #92

Open
mirec-m opened this issue Dec 4, 2019 · 7 comments
Open

Add support for query parameters #92

mirec-m opened this issue Dec 4, 2019 · 7 comments

Comments

@mirec-m
Copy link

mirec-m commented Dec 4, 2019

I'm trying to call Presto SQL with a simple parameter ('SELECT * FROM my_table WHERE id=${id}'

I'm getting following error:

prestodb.exceptions.PrestoUserError: PrestoUserError(type=USER_ERROR, name=SYNTAX_ERROR, message="line 56:26: mismatched input '$'. Expecting: 'ALL', 'ANY', 'SOME', ", query_id=20191204_102703_00302_6fjsq)

It seems that when calling cursor's execute function, the query parameters are ignored.

As you can see from the following code snippet (from dbapi.py), params is not used anywhere.

def execute(self, operation, params=None): self._query = prestodb.client.PrestoQuery(self._request, sql=operation) result = self._query.execute() self._iterator = iter(result) return result

@kylestratis
Copy link

Big 👍
Looking at switching to PyHive because of the lack of support for query parameters, which seems like a pretty major oversight.

@iurnah
Copy link

iurnah commented Apr 21, 2020

You can achieve what you want with some python string feature.

the_id = 12345
query = f'''SELECT * FROM my_table WHERE id={the_id}'''`

if the_id is a parameter defined before, you can execute the query by

cursor.execute(query)

notice some python3 string formatting feature is used to replace the parameter in the query string.

@kylestratis
Copy link

kylestratis commented Apr 21, 2020

@iurnah this is generally a poor practice that causes query performance to suffer (compared to parametrized queries) and in many use cases open an application up to injection attacks.

See here: https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

@ilanb1996
Copy link

Any updates on this issue? IMO it’s very critical and a must have for sql clients

@ghost
Copy link

ghost commented Aug 26, 2020

I've just found out that presto-python-client execute function doesn't support parametrized query so I've to resort to .format() after taking assurance from my team that no direct user-input will be allowed to format the query. For now, everything is settled but in future it may change.

Is this feature being implemented?

@thiagodma
Copy link

Any updates here? I'm interested

@ninoseki
Copy link

ninoseki commented Jun 5, 2023

I think we can port PyHive's implementation for binding params.
https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L262-L266
https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L45-L49
How about porting those class and function? (I can do that if this suggestion makes sense)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants