Add quotes to every list element
PythonPython Problem Overview
I'm very new to python. I need a simple and clear script to add quotes to every list elements. Let me explain more. Here is the my code.
parameters = ['a', 'b', 'c']
query = "SELECT * FROM foo WHERE bar IN (%s)" % (', '.join(parameters))
I want to use this to query. But result is invalid query. Here is the result.
SELECT * FROM foo WHERE bar IN (a, b, c, d)
I want to like this:
SELECT * FROM foo WHERE bar IN ('a', 'b', 'c', 'd')
How to add quotes while joining elements.
Python Solutions
Solution 1 - Python
A naive solution would be to iterate over your parameters list and append quotes to the beginning and end of each element:
(', '.join('"' + item + '"' for item in parameters))
Note: this is vulnerable to SQL injection (whether coincidental or deliberate). A better solution is to let the database quote and insert these values:
query = "SELECT * FROM foo WHERE bar IN (%s)" % ','.join('?' * len(params))
cursor.execute(query, params)
It's easier to read and handles quoting properly.
Solution 2 - Python
For simple parameters, the following should work:
query = "SELECT * FROM foo WHERE bar IN %s" % repr(tuple(map(str,parameters)))
This may break down when the parameter names themselves include quotes, as the escaping rules are different.
Solution 3 - Python
As you asked it, use this:
parameters = ['a', 'b', 'c']
', '.join(map(lambda x: "'" + x + "'", parameters))
Since you're creating an SQL query, please use your database library's features regarding input sanitation (example for mysqldb). You don't want to end up with an issue like Bobby Tables.
Solution 4 - Python
In general (ignoring SQL)
In [3]: print(' '.join('"%s"' % x for x in ['a', 'b']))
"a" "b"