pynative

A Python Programming blog

Python MySQL Execute Parameterized Query using Prepared Statement

Filed Under: Python MySQL | 1 Comment

This article demonstrates how to use Parameterized query or Prepared Statement from your python to perform MySQL database operations. Let’s see how to execute Python MySQL Parameterized Query using Prepared Statement.

What is the parameterized query in python

A parameterized query is a query in which placeholders used for parameters and the parameter values supplied at execution time. That means parameterized query gets compiled only once.

Let’s see the example of a parameterized query:

sql_parameterized_query = """Update employee set city = %s where emp_id = %s"""

As you can see, we are passing a parameter (%s) for the values. You must supply values in place of the placeholders (%s) before you can execute this query using Prepared Statement. Here we provide python variables at the position of the placeholder.

Sometimes it is more convenient to use a parameterized Query or prepared statement for sending SQL queries to the database. But the main question is why to use Prepared Statement in python? 

Why use parameterized Query and Prepared Statement while working with the database in Python?

There are the main 4 reasons to use. There are the main four reasons to use.

  • Improves Speed: If you want to execute SQL statement/query many times, it usually reduces execution time
  • Compile Once: The main advantage of using a parameterized query is that parameterized query compiled only once.  That means when you executed the parameterized query,  MySQL can just run the SQL statement without having to recompile it. It uses already precompiled query and directly executes it.
    Note: For a standard query, MySQL complies query each time before executing it.
  • Same Operation with Different Data: if you want to execute the same query multiple time with different data. For example, you want to insert 200 rows in a table then you can use parameterized query so it can compile once and execute every time with different column values.
  • Preventing SQL injection attacks.

Let’s see how to use the parameterized query to perform MySQL database operations using Python.

Note: We are using MySQL Connector Python to execute a Parameterized query.

How to use Parameterized query and prepared statement in Python

We can use the MySQLCursorPrepared class to execute the parameterized query. MySQLCursorPrepared inherits from MySQLCursor  (CURSOR class).

Cursor() method of the connection object returns a MySQLCursorPrepared object of a regular cursor object. Using MySQLCursorPrepared class, we can execute the prepared statement.

Create a Prepared statement using connection.cursor(prepared=True). The simpler syntax is to use a prepared=True argument in the connection.cursor() method.

import mysql.connector
connection = mysql.connector.connect(host='localhost',
                             database='python_db',
                             user='pynative',
                             password='pynative@#29')

cursor = connection.cursor(prepared=True) #this will return MySQLCursorPrepared object

cursor = connection.cursor(prepared=True) Lets you have a specific cursor on which statements prepared. and returns a MySQLCursorPrepared class instance.

Note: You can also create a prepared statement by explicitly passing the MySQLCursorPrepared class as an argument.  connection.cursor(cursor_class=MySQLCursorPrepared)

Python MySQL example to execute a parameterized query using Prepared Statement

In this example, I am updating the “computer” table values.  Here I am updating the value of the “ram” column of a computer table. You can update your table name and column details to update.

import mysql.connector
from mysql.connector import Error
from mysql.connector import errorcode
try:
   connection = mysql.connector.connect(host='localhost',
                             database='python_db',
                             user='pynative',
                             password='pynative@#29')

   cursor = connection.cursor(prepared=True)

   #Update single record now
   sql_parameterized_query = """Update computers set ram = %s where id = %s"""
   ram = 20
   id = 2
   input = (ram, id)
   cursor.execute(sql_parameterized_query , input)
   connection.commit()
   print("Record Updated successfully using prepared stament")

except mysql.connector.Error as error :
    print("Failed to update record to database: {}".format(error))
    connection.rollback()
finally:
    #closing database connection.
    if(connection.is_connected()):
        connection.close()
        print("MySQL connection is closed")

You can get the following output if you execute the above program.

Record Updated successfully with a prepared statement
MySQL connection is closed

understand Python MySQL parameterized Query program

  • We used the functionmysql.connector.connect to connect the MySQL Database. This function accepts the required parameters: Host, Database, User, and Password. if a connection is successfully established it will return the connection object.
  • We created a prepared statement object using the function connection.cursor(prepared=True). This function returns the MySQLCursorPrepared class.
  • Then we created the parameterized SQL query. in this query, we are using two placeholders for two table column.
  • Next, We used the prepared statement to accept user input using a placeholder, i.e. we put two placeholders in update query one for “ram” column and other is for the” id” column.
  • We then added those two columns value in the input tuple in sequential order and passed SQL update query and input tuple t0 cursor.execute() function,  remember tuple contain user data in sequential order of placeholders.
  • In the end, we are committing our changes to the database using connection.commit()
  • We placed our all code in the try-except block to catch exceptions if any.

A cursor instantiated from connection.cursor(prepared=True) ( MySQLCursorPrepared ) class works like this:

  • The first time you pass a SQL query statement to the cursor’s execute() method, it prepares the statement.
    For subsequent invocations of executing, the preparation phase is skipped if the statement is the same, i.e. the query is not compiled again.
  • The CURSOR’s execute() method takes an optional second argument containing a list of data values. each entry in the list must be in tuple format to associate with parameter markers in the statement.
  • If the list argument is present, there must be one value per parameter marker in sequential order of placeholders.
    for example, you have two placeholders in a Query then a list of values will be like :
    list = [(10,2), (20,3), (40,4)]
conn = mysql.connector.connect(host='localhost',
                             database='python_db',
                             user='pynative',
                             password='pynative@#29')
cursor = connection.cursor(prepared=True)
query = "SELECT * FROM python_users WHERE id = %s"
cursor.execute(query, (1,)) 
# ... retrieve data ...
cursor.execute(query, (2,))                           
# ... retrieve data ...
  • in the first cursor.execute(query, (1,))  python prepares statement i.e. Query gets compiled.
  • For subsequent calls of a cursor.execute() query will not be compiled again, this step is skipped and the query executed directly with passed parameter values.
  • Note: we passed placeholders value in tuple format (1,)

Use Parameterized query and Prepared Statement to Insert data into MySQL table

Sometimes you need to insert a python variable as a column value in the insert query. For example, a user has filled an online form and clicked on submit.

So you need to insert those values into a MySQL table you can do that using a parametrized query. First, you need to take user input into a variable and pass that variable to the INSERT query as a placeholder ( %s ).

For example, You want to insert a new row into the MySQL Employee table, all values are dynamic i.e. depends on user input.

Let see how to insert into a table using a parameterized query or prepared statement.

import mysql.connector
from mysql.connector import Error

try:
    connection = mysql.connector.connect(host='localhost',
                                         database='python_db',
                                         user='pynative',
                                         password='pynative@#29')

    cursor = connection.cursor(prepared=True)

    sql_insert_query = """ INSERT INTO `employee`
                       (`id`, `name`,`salary`,`city`) VALUES (%s,%s,%s,%s)"""
    emp_id = 3
    emp_name = "Jason"
    salary = 8000
    city = "New York"

    insert_tuple = (emp_id, emp_name, salary, city)

    result = cursor.execute(sql_insert_query, insert_tuple)
    connection.commit()

    print("variable inserted successfully into employee table using the prepared statement")

except mysql.connector.Error as error:
    connection.rollback()
    print("parameterized query failed {}".format(error))

finally:
    # closing database connection.
    if (connection.is_connected()):
        cursor.close()
        connection.close()
        print("MySQL connection is closed")

Output:

variable inserted successfully into employee table using the prepared statement

Use Parameterized query and Prepared Statement to Update data of MySQL table

Now, Let see how to use the prepared statement and parametrized query to update the data of MySQL table.

When we need input from the user. For example, when user updating their profile through User Interface that time values are determined at runtime. we need to use python variables in a query.

It is always best practice to use parametrized query i.e. placeholders ( %s ) inside an Update SQL statements that contain input from users.

Let’ s see the example program now, in this example, we are updating the salary of an employee using a parameterized query.

import mysql.connector
from mysql.connector import Error

try:
    connection = mysql.connector.connect(host='localhost',
                                         database='python_db',
                                         user='pynative',
                                         password='pynative@#29')

    cursor = connection.cursor(prepared=True)
    
    # Update single record now
    sql_update_query = """Update employee set salary= %s where id = %s"""
    
    sal = 12000
    id = 5
    input_tuple = (sal, id)
    
    cursor.execute(sql_update_query, input_tuple)
    connection.commit()
    print("Record Updated successfully with prepared statement")

except mysql.connector.Error as error:
    connection.rollback()
    print("parameterized query failed {}".format(error))

finally:
    # closing database connection.
    if (connection.is_connected()):
        cursor.close()
        connection.close()
        print("MySQL connection is closed")

Output:

Record Updated successfully with prepared statement

Use Parameterized query and Prepared Statement to Delete data into MySQL table

Now, Let see how to use the prepared statement and parametrized query to delete the data of MySQL table.

For an example when user deleting their data from the web portal. In such a scenario, we need to use those variables inside a parameterized query using a placeholder ( %s ).

import mysql.connector
from mysql.connector import Error

try:
    connection = mysql.connector.connect(host='localhost',
                                         database='python_db',
                                         user='pynative',
                                         password='pynative@#29')

    cursor = connection.cursor(prepared=True)

    # Delete record now
    sql_Delete_query = """Delete from employee where id = %s"""
    emp_id = 3
    
    cursor.execute(sql_Delete_query, (emp_id,))
    connection.commit()
    print("\n Record Deleted successfully ")

except mysql.connector.Error as error:
    connection.rollback()
    print("parameterized query failed {}".format(error))

finally:
    # closing database connection.
    if (connection.is_connected()):
        cursor.close()
        connection.close()
        print("MySQL connection is closed")

The Output of the above program:

Record Deleted successfully

Next Steps:

To practice what you learned in this article, I have created a Python Database programming Quiz and Exercise Project.

That’s it. Folks Let me know your comments and questions in the section below.

Related Articles

Python Exercises
Python Tricks
Join Our Newsletter
Signup today and receive New Python Articles, Exercises, Tips and Tricks straight in your inbox Every WEEK!
We take your privacy seriously. No spam Ever!. Unsubscribe any time!
Keep Reading
Python Basic (10),  Python MySQL (14),  Python PostgreSQL (8),  Python Exercises (11),  Python Generate Random Data (13),  Python Quizzes (3)

Reader Interactions

Comments

  1. Can you tell me what this syntax to .execute is doing? Where is this style of parameter substitution explained?
    c.execute(“””
    select dateTime, rain from archive where dateTime >= :now – (24 * 3600 * :past )
    AND dateTime <= :now
    ORDER BY dateTime
    """, {"now": storm_now, "past": storm_in_past})

    I don't find this :parameter style mentioned anywhere.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *