如何正确执行带参数的 MSSQL 存储过程 Python
How correctly execute a MSSQL stored procedure with parameters in Python
目前我正在以这种方式执行存储过程:
engine = sqlalchemy.create_engine(self.getSql_conn_url())
query = "exec sp_getVariablesList @City = '{0}', @Station='{1}'".format(City, Station)
self.Variables = pd.read_sql_query(query, engine)
但在 How set ARITHABORT ON at sqlalchemy 处被正确地注意到,这使得 SQL 注入开放。我尝试了不同的方法但没有成功。那么应该如何给MSSQL存储过程传递参数来消除SQL注入的风险呢?这可以使用 sqlalchemy 或任何其他方式。
使用“命名”参数样式编写您的 SQL 命令文本,将其包装在 SQLAlchemy text()
对象中,并将参数值作为字典传递:
import pandas as pd
import sqlalchemy as sa
connection_uri = "mssql+pyodbc://@mssqlLocal64"
engine = sa.create_engine(connection_uri)
# SQL command text using "named" paramstyle
sql = """
SET NOCOUNT ON;
SET ARITHABORT ON;
EXEC dbo.breakfast @name = :name_param, @food = :food_param;
"""
# parameter values
param_values = {"name_param": "Gord", "food_param": "bacon"}
# execute query wrapped in SQLAlchemy text() object
df = pd.read_sql_query(sa.text(sql), engine, params=param_values)
print(df)
"""
column1
0 Gord likes bacon for breakfast.
"""
目前我正在以这种方式执行存储过程:
engine = sqlalchemy.create_engine(self.getSql_conn_url())
query = "exec sp_getVariablesList @City = '{0}', @Station='{1}'".format(City, Station)
self.Variables = pd.read_sql_query(query, engine)
但在 How set ARITHABORT ON at sqlalchemy 处被正确地注意到,这使得 SQL 注入开放。我尝试了不同的方法但没有成功。那么应该如何给MSSQL存储过程传递参数来消除SQL注入的风险呢?这可以使用 sqlalchemy 或任何其他方式。
使用“命名”参数样式编写您的 SQL 命令文本,将其包装在 SQLAlchemy text()
对象中,并将参数值作为字典传递:
import pandas as pd
import sqlalchemy as sa
connection_uri = "mssql+pyodbc://@mssqlLocal64"
engine = sa.create_engine(connection_uri)
# SQL command text using "named" paramstyle
sql = """
SET NOCOUNT ON;
SET ARITHABORT ON;
EXEC dbo.breakfast @name = :name_param, @food = :food_param;
"""
# parameter values
param_values = {"name_param": "Gord", "food_param": "bacon"}
# execute query wrapped in SQLAlchemy text() object
df = pd.read_sql_query(sa.text(sql), engine, params=param_values)
print(df)
"""
column1
0 Gord likes bacon for breakfast.
"""