SQL Server pyodbc.ProgrammingError 42000 (8114) error converting data type varchar to float

ct3nt3jp  于 2023-10-15  发布在  其他
关注(0)|答案(1)|浏览(125)

The below is my code:

if data['Key']['Name'] == ".AORD" or data['Key']['Name'] == ".CBD100" or data['Key']['Name'] == ".CNT" or data['Key']['Name'] == ".CSI300" or data['Key']['Name'] == ".CSI300FS" or data['Key']['Name'] == ".DJI" or data['Key']['Name'] == ".FCHI" or data['Key']['Name'] == ".FTSE" or data['Key']['Name'] == ".GDAXI" or data['Key']['Name'] == ".HSCC" or data['Key']['Name'] == ".HSCE" or data['Key']['Name'] == ".HSCI" or data['Key']['Name'] == ".HSCIC" or data['Key']['Name'] == ".HSCIU" or data['Key']['Name'] == ".HSNC" or data['Key']['Name'] == ".HSNF" or data['Key']['Name'] == ".HSNP" or data['Key']['Name'] == ".HSTECH" or data['Key']['Name'] == ".INX" or data['Key']['Name'] == ".N255" or data['Key']['Name'] == ".SPHKGEM" or data['Key']['Name'] == ".SSE180" or data['Key']['Name'] == ".SSE380I" or data['Key']['Name'] == ".SSE50" or data['Key']['Name'] == ".SSEA" or data['Key']['Name'] == ".SSEB" or data['Key']['Name'] == ".SZSA" or data['Key']['Name'] == ".SZSB" or data['Key']['Name'] == ".SZSC" or data['Key']['Name'] == ".SZ100" or data['Key']['Name'] == ".SZI":
    print("[", datetime.datetime.now(), "]" + data['Key']['Name'] + " Turnover: " , data['Fields']['TURNOVER'], " Value: ", data['Fields']['TRDPRC_1'])
    if data['Fields']['TURNOVER'] == None:
        sqlg = "UPDATE STOCK.dbo.Curr_Indexs SET Value=CAST(\'" + str(data['Fields']['TRDPRC_1']) + "\' AS FLOAT) , Net_Change=CAST(\'" + str(data['Fields']['NETCHNG_1']) + "\' AS FLOAT) , Percent_Change=CAST(\'" + str(data['Fields']['PCTCHNG']) + "\' AS FLOAT) , DayHigh=CAST(\'" + str(data['Fields']['HIGH_1']) + "\' AS FLOAT) , DayLow=CAST(\'" + str(data['Fields']['LOW_1']) + "\' AS FLOAT) , OFF_CLOSE=CAST(\'" + str(data['Fields']['OFF_CLOSE']) + "\' AS FLOAT) , Date=\'" + str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) + "\' ,Data_Time=\'" + str(datetime.datetime.now().strftime("%H:%M:%S")) + "\' WHERE nRic=\'" + data['Key']['Name'] + "\'"
    if data['Fields']['TURNOVER'] != None:
        sqlg = "UPDATE STOCK.dbo.Curr_Indexs SET Value=CAST(\'" + str(data['Fields']['TRDPRC_1']) + "\' AS FLOAT) , Net_Change=CAST(\'" + str(data['Fields']['NETCHNG_1']) + "\' AS FLOAT) , Percent_Change=CAST(\'" + str(data['Fields']['PCTCHNG']) + "\' AS FLOAT) , DayHigh=CAST(\'" + str(data['Fields']['HIGH_1']) + "\' AS FLOAT) , DayLow=CAST(\'" + str(data['Fields']['LOW_1']) + "\' AS FLOAT) , OFF_CLOSE=CAST(\'" + str(data['Fields']['OFF_CLOSE']) + "\' AS FLOAT) , Turnover= CAST(\'" + str(float(data['Fields']['TURNOVER'])) + "\' AS FLOAT) , Date=\'" + str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) + "\' ,Data_Time=\'" + str(datetime.datetime.now().strftime("%H:%M:%S")) + "\' WHERE nRic=\'" + data['Key']['Name'] + "\'"
                
    cur1.execute(sqlg)
    conn1.commit()

Does anybody knows what is the problem? The type in the data base are float(except the Date and Data_Time). please help. Thank you.

I know SQL injection is bad practice but it shouldn't produce this error? The below code works in the same program for reference:

if data['Key']['Name'] == ".NQUOTA.SH" or data['Key']['Name'] == ".NQUOTA.ZK" or data['Key']['Name'] == ".SQUOTA.HS" or data['Key']['Name'] == ".SQUOTA.HZ":
    if "QUTA_REM" in data['Fields']:
        print("[", datetime.datetime.now(), "]", data['Key']['Name']  ,": QUTA_REM: ", data['Fields']['QUTA_REM'])
        sqle = "UPDATE STOCK.dbo.NorthBoundQuota SET DailyQBalance= " + str(data['Fields']['QUTA_REM']/100000) + ", Date=\'" + str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) + "\' WHERE nRic=\'" + data['Key']['Name'] + "\'"
        cur1.execute(sqle)
        conn1.commit()

DailyQBalance is type float in the database.

I could see the raw JSON data and they're not None/Null/empty, they are numbers. And previously I used the below SQL and it produced the same error:

sqlg = "UPDATE STOCK.dbo.Curr_Indexs SET Value=\'" + str(data['Fields']['TRDPRC_1']) + "\' , Net_Change=\'" + str(data['Fields']['NETCHNG_1']) + "\' , Percent_Change=\'" + str(data['Fields']['PCTCHNG']) + "\' , DayHigh=\'" + str(data['Fields']['HIGH_1']) + "\' , DayLow=\'" + str(data['Fields']['LOW_1']) + "\' , OFF_CLOSE=\'" + str(data['Fields']['OFF_CLOSE']) + "\' , Turnover=\'" + str(float(data['Fields']['TURNOVER'])) + "\' , Date=\'" + str(datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) + "\' ,Data_Time=\'" + str(datetime.datetime.now().strftime("%H:%M:%S")) + "\' WHERE nRic=\'" + data['Key']['Name'] + "\'"
h7appiyu

h7appiyu1#

I changed the code to use parameterized queries and it works. But what I don't understand is why some SQL injection statments work while other don't (especially when the data received has the same type as the problematic SQL statement and the columns being updated are the same (float)).

相关问题