BASH W10でSQLを呼び出してPythonを実行する

BASH W10でSQLを呼び出してPythonを実行する

このPythonファイルpython pid_info.py 12345を実行してみると、次のようになります。

#!/usr/bin/env python
import subprocess
import sys, getopt

# add if -b or -e then look for username/email like etc... 
# figure out how to store the db creds in separate file 
class color:
   PURPLE = '\033[95m'
   CYAN = '\033[96m'
   DARKCYAN = '\033[36m'
   BLUE = '\033[94m'
   GREEN = '\033[92m'
   YELLOW = '\033[93m'
   RED = '\033[91m'
   BOLD = '\033[1m'
   UNDERLINE = '\033[4m'
   FLASH = '\033[0.5m'
   END = '\033[0m'

# DB info:
host = 
db=
user=
password=
# take the argument provided by user
UN=str(sys.argv[1])    
# SQL query to return user info + role
f_statement1 = """ set nocount on; set ansi_warnings off; 
SELECT 
pl.placement_id PID, pl.placement_name, p.partner_name Publisher, pc.description Platform_client, pit.description +'/'+ dt.description  Integration_Device
FROM placement pl 
JOIN partner p ON pl.partner_id = p.partner_id 
JOIN platform_client pc ON p.platform_client_id = pc.platform_client_id
JOIN placement_integration_type_assoc pita ON pl.placement_id = pita.placement_id 
JOIN placement_integration_type pit ON pita.placement_integration_type_id = pit.placement_integration_type_id
JOIN device_type dt ON pl.device_type_id = dt.device_type_id 
WHERE pit.active=1
AND pita.active=1 AND pl.placement_id = """ + str(UN)

f_statement2 = """ set nocount on; set ansi_warnings off; 
SELECT 
pl.max_ad_duration Seconds, c.abbreviation Country,
CASE WHEN passback_allowed=0 THEN 'GUARANTEED' ELSE 'PASSBACK' END AS Buy_Type, 
CASE WHEN pl.skippable=0 THEN 'Non-Skippable' ELSE 'Skippable' END AS Skippable,
CASE WHEN pl.active=1 THEN 'ACTIVE' ELSE 'NOT_ACTIVE' END AS Status
FROM placement pl 
JOIN country c ON pl.country_id = c.country_id
WHERE   pl.placement_id =""" + str(UN)

f_statement3 = """ set nocount on; set ansi_warnings off;
SELECT url_expression FROM AN_MAIN..placement_domain_whitelist
WHERE active=1 and placement_id =""" + str(UN)

# run the first query
print('\n')
print(color.UNDERLINE + color.BOLD + "Results for PID " + str(UN) + ":" + color.END)
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement1, "-Y","30", "-s", "|" ])
print('\n')
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement2, "-Y","30", "-s", "|" ])
print('\n')
print(color.UNDERLINE + color.BOLD + "Whitelist for PID " + str(UN) + ":" + color.END)
print('\n')
results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement3, "-Y","30", "-s", "|" ])
print('\n')

input ()

これによりエラーが発生します。

Results for PID 12345:
Traceback (most recent call last):
  File "pid_info.py", line 57, in <module>
    results1=subprocess.call(["sqlcmd", "-S", host, "-U",user, "-P",password, "-d",db, "-Q", f_statement1, "-Y","30", "-s", "|" ])
  File "/usr/lib/python2.7/subprocess.py", line 523, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

ここでどのような変更を行う必要がありますか?

答え1

sqlcmdPythonスクリプトは、環境変数にリストされているディレクトリにない環境で実行されますPATH

スクリプトを呼び出す前にあったディレクトリを含めるPATHか、フルパスを使用してください。sqlcmdsqlcmd


外部バイナリを使用せずにPythonコードからデータベース接続を作成できるPython用のSQLライブラリがあると確信しています。これにより、SQLインジェクション攻撃に対して脆弱ではない準備済みステートメントを実行することもできます。

変数をクリーンアップしませんUN。つまり、次のようにスクリプトを呼び出すことができます。"12345; DROP DATABASE 'mydatabase';"

関連情報