{"id":1726,"library":"sqlparams","title":"SQL Params","description":"sqlparams is a utility package for converting between various SQL parameter styles. This can simplify the use of SQL parameters in queries by allowing the use of named parameters where only ordinal are supported. Current version is 6.2.0, released on 2024-01-25. It appears to have a regular release cadence, with several minor and major versions released annually.","status":"active","version":"6.2.0","language":"en","source_language":"en","source_url":"https://github.com/cpburnz/python-sqlparams","tags":["sql","database","parameters","db-api","orm-helper"],"install":[{"cmd":"pip install sqlparams","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Requires Python 3.8 or newer.","package":"python","optional":false}],"imports":[{"note":"The attributes 'named' and 'ordinal' on SQLParams were renamed to 'in_style' and 'out_style' respectively in version 6.0.0.","wrong":"from sqlparams import named, ordinal","symbol":"SQLParams","correct":"from sqlparams import SQLParams"}],"quickstart":{"code":"import sqlparams\n\n# Convert from named style (e.g., ':name') to qmark style (e.g., '?')\nquery_converter = sqlparams.SQLParams('named', 'qmark')\n\n# Example 1: Single parameter\nsql_in = \"SELECT * FROM users WHERE name = :name;\"\nparams_in = {'name': \"Thorin\"}\nsql_out, params_out = query_converter.format(sql_in, params_in)\n\nprint(f\"Original SQL: {sql_in}\")\nprint(f\"Original Params: {params_in}\")\nprint(f\"Converted SQL: {sql_out}\")\nprint(f\"Converted Params: {params_out}\\n\")\n# Expected: SELECT * FROM users WHERE name = ?; ['Thorin']\n\n# Example 2: Tuple expansion for IN operator\nsql_in_in = \"SELECT * FROM users WHERE name IN :names;\"\nparams_in_in = {'names': (\"Dori\", \"Nori\", \"Ori\")}\nsql_out_in, params_out_in = query_converter.format(sql_in_in, params_in_in)\n\nprint(f\"Original SQL (IN): {sql_in_in}\")\nprint(f\"Original Params (IN): {params_in_in}\")\nprint(f\"Converted SQL (IN): {sql_out_in}\")\nprint(f\"Converted Params (IN): {params_out_in}\\n\")\n# Expected: SELECT * FROM users WHERE name in (?,?,?); ['Dori', 'Nori', 'Ori']\n\n# Example 3: Multiple parameter sets for executemany\nsql_many_in = \"UPDATE users SET age = :age WHERE name = :name;\"\nparams_many_in = [\n    {'name': \"Dwalin\", 'age': 169},\n    {'name': \"Balin\", 'age': 178}\n]\nsql_many_out, params_many_out = query_converter.formatmany(sql_many_in, params_many_in)\n\nprint(f\"Original SQL (many): {sql_many_in}\")\nprint(f\"Original Params (many): {params_many_in}\")\nprint(f\"Converted SQL (many): {sql_many_out}\")\nprint(f\"Converted Params (many): {params_many_out}\")\n# Expected: UPDATE users SET age = ? WHERE name = ?; [[169, 'Dwalin'], [178, 'Balin']]\n","lang":"python","description":"Demonstrates initializing SQLParams to convert from named to qmark style, then using the `format` method for single and tuple parameters, and `formatmany` for multiple sets of parameters."},"warnings":[{"fix":"Upgrade to Python 3.8+ and update attribute access from `.named` to `.in_style` and `.ordinal` to `.out_style`. Ensure named parameters do not start with digits.","message":"Version 6.0.0 dropped support for Python 3.7 (which is End-of-Life). Additionally, the attributes `named` and `ordinal` on the `SQLParams` class were renamed to `in_style` and `out_style` respectively. The private attributes `match` and `replace` were also removed. Named parameters must now be valid identifiers and can no longer start with a digit.","severity":"breaking","affected_versions":">=6.0.0"},{"fix":"Maintain consistent tuple lengths across all parameter sets when using `formatmany()` with tuple expansion, or switch to calling `format()` individually for each parameter set.","message":"When using tuple expansion (e.g., for `IN` clauses) with `SQLParams.formatmany()`, ensure that all tuples for a given parameter across *all* parameter sets have the exact same number of elements. If the tuple sizes vary, `formatmany()` will fail, and it's recommended to use `SQLParams.format()` in a loop instead for each parameter set.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Strictly use `sqlparams.format()` or `sqlparams.formatmany()` with all user-supplied data placed in the `params` argument (as a dictionary or sequence), never concatenating it into the `sql` argument.","message":"While `sqlparams` enables safe parameterized queries by converting parameter styles, it does not inherently prevent SQL injection if user input is directly concatenated into the SQL string *before* being processed by `sqlparams`. Always pass user-provided values exclusively through the parameters dictionary/list, never directly into the SQL query string itself.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}