presto-python-client icon indicating copy to clipboard operation
presto-python-client copied to clipboard

Published 20 hours ago verified publisher icon prestodb

Add support for query parameters

Open mirec-m opened this issue 5 years ago • 7 comments

I'm trying to call Presto SQL with a simple parameter ('SELECT * FROM my_table WHERE id=${id}'

I'm getting following error:

prestodb.exceptions.PrestoUserError: PrestoUserError(type=USER_ERROR, name=SYNTAX_ERROR, message="line 56:26: mismatched input '$'. Expecting: 'ALL', 'ANY', 'SOME', ", query_id=20191204_102703_00302_6fjsq)

It seems that when calling cursor's execute function, the query parameters are ignored.

As you can see from the following code snippet (from dbapi.py), params is not used anywhere.

def execute(self, operation, params=None): self._query = prestodb.client.PrestoQuery(self._request, sql=operation) result = self._query.execute() self._iterator = iter(result) return result

mirec-m avatar Dec 04 '19 10:12 mirec-m

Big 👍 Looking at switching to PyHive because of the lack of support for query parameters, which seems like a pretty major oversight.

kylestratis avatar Apr 09 '20 15:04 kylestratis

You can achieve what you want with some python string feature.

the_id = 12345
query = f'''SELECT * FROM my_table WHERE id={the_id}'''`

if the_id is a parameter defined before, you can execute the query by

cursor.execute(query)

notice some python3 string formatting feature is used to replace the parameter in the query string.

iurnah avatar Apr 21 '20 00:04 iurnah

@iurnah this is generally a poor practice that causes query performance to suffer (compared to parametrized queries) and in many use cases open an application up to injection attacks.

See here: https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

kylestratis avatar Apr 21 '20 02:04 kylestratis

Any updates on this issue? IMO it’s very critical and a must have for sql clients

ilanb1996 avatar Jul 01 '20 09:07 ilanb1996

I've just found out that presto-python-client execute function doesn't support parametrized query so I've to resort to .format() after taking assurance from my team that no direct user-input will be allowed to format the query. For now, everything is settled but in future it may change.

Is this feature being implemented?

ghost avatar Aug 26 '20 08:08 ghost

Any updates here? I'm interested

thiagodma avatar Nov 03 '21 12:11 thiagodma

I think we can port PyHive's implementation for binding params. https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L262-L266 https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L45-L49 How about porting those class and function? (I can do that if this suggestion makes sense)

ninoseki avatar Jun 05 '23 17:06 ninoseki