Add support for query parameters

Question

Add support for query parameters

mirec-m opened this issue 5 years ago · comments

I'm trying to call Presto SQL with a simple parameter ('SELECT * FROM my_table WHERE id=${id}'

I'm getting following error:

prestodb.exceptions.PrestoUserError: PrestoUserError(type=USER_ERROR, name=SYNTAX_ERROR, message="line 56:26: mismatched input '$'. Expecting: 'ALL', 'ANY', 'SOME', ", query_id=20191204_102703_00302_6fjsq)

It seems that when calling cursor's execute function, the query parameters are ignored.

As you can see from the following code snippet (from dbapi.py), params is not used anywhere.

def execute(self, operation, params=None): self._query = prestodb.client.PrestoQuery(self._request, sql=operation) result = self._query.execute() self._iterator = iter(result) return result

Kyle Stratis · Answer 1 · Thu Apr 09 2020 23:31:07 GMT+0800 (China Standard Time)

Big 👍
Looking at switching to PyHive because of the lack of support for query parameters, which seems like a pretty major oversight.

iurnah · Answer 2 · Tue Apr 21 2020 08:01:17 GMT+0800 (China Standard Time)

You can achieve what you want with some python string feature.

the_id = 12345
query = f'''SELECT * FROM my_table WHERE id={the_id}'''`

if the_id is a parameter defined before, you can execute the query by

cursor.execute(query)

notice some python3 string formatting feature is used to replace the parameter in the query string.

Kyle Stratis · Answer 3 · Tue Apr 21 2020 10:32:01 GMT+0800 (China Standard Time)

@iurnah this is generally a poor practice that causes query performance to suffer (compared to parametrized queries) and in many use cases open an application up to injection attacks.

See here: https://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/

ilanb1996 · Answer 4 · Wed Jul 01 2020 17:05:40 GMT+0800 (China Standard Time)

Any updates on this issue? IMO it’s very critical and a must have for sql clients

Deleted user · Answer 5 · Wed Aug 26 2020 16:47:31 GMT+0800 (China Standard Time)

I've just found out that presto-python-client execute function doesn't support parametrized query so I've to resort to .format() after taking assurance from my team that no direct user-input will be allowed to format the query. For now, everything is settled but in future it may change.

Is this feature being implemented?

Thiago Dantas · Answer 6 · Wed Nov 03 2021 20:18:38 GMT+0800 (China Standard Time)

Any updates here? I'm interested

Manabu Niseki · Answer 7 · Tue Jun 06 2023 01:45:07 GMT+0800 (China Standard Time)

I think we can port PyHive's implementation for binding params.
https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L262-L266
https://github.com/dropbox/PyHive/blob/master/pyhive/presto.py#L45-L49
How about porting those class and function? (I can do that if this suggestion makes sense)