Print keys from dictionary as tuple without quotation marks

Question

I have this dictionary which keys I later want to pass into a sql statement:

dic = {'address': 'Emil-Dannecker-Straße 2, 78234 Engen',
       'addressLink': 'https://atlas.immobilienscout24.de/adresse/78234-engen-emil-dannecker-str-2',
      'date': '28.12.2018',
      'distance': '85 m',
      'id': '109087587',
      'livingArea': '27 m²',
      'position': {'lat': 47.85883, 'lng': 8.76808},
      'price': '320 €',
      'priceSqm': '11,85 €/m²',
      'realtor': {'contactPageUrl': None, 'label': 'von Privat'},
      'roomCount': '1',
      'status': 'Deactivated'}

My desired output is this:

(realtor,
 distance,
 date,
 addressLink,
 status,
 roomCount,
 priceSqm,
 id,
 position,
 livingArea,
 address,
 price)

So far, I have tried tuple(dic.keys()), which gives me:

('realtor',
 'distance',
 'date',
 'addressLink',
 'status',
 'roomCount',
 'priceSqm',
 'id',
 'position',
 'livingArea',
 'address',
 'price')

Is there an easy way to transfrom the keys into the desired format?

Answer 1

First of all: don't use user-provided input to generate SQL! That's a recipe for SQL injections, a major security flaw. Use a library like SQLAlchemy to handle dynamic SQL instead.

If you have specific formatting requirements, don't use the built-in containers. Those have only a single mode of representation, aimed at helping debugging.

Just print your values directly:

print("({})".format(",\n ".join(dic)))

There is no need to call dic.keys() here, iteration will give you the keys directly.

Take into account that the order of the keys may be arbirtary! Python 3.6 and newer preserve insertion order in dictionaries, but it may be that the way your dictionary was built still gives you a different order than you want to see in the output.

Demo:

>>> dic = {'address': 'Emil-Dannecker-Straße 2, 78234 Engen',
...        'addressLink': 'https://atlas.immobilienscout24.de/adresse/78234-engen-emil-dannecker-str-2',
...       'date': '28.12.2018',
...       'distance': '85 m',
...       'id': '109087587',
...       'livingArea': '27 m²',
...       'position': {'lat': 47.85883, 'lng': 8.76808},
...       'price': '320 €',
...       'priceSqm': '11,85 €/m²',
...       'realtor': {'contactPageUrl': None, 'label': 'von Privat'},
...       'roomCount': '1',
...       'status': 'Deactivated'}
>>> print("({})".format(",\n ".join(dic)))
(address,
 addressLink,
 date,
 distance,
 id,
 livingArea,
 position,
 price,
 priceSqm,
 realtor,
 roomCount,
 status)

You can't reliably use this for SQL insert statements!, not only because there is a potential for SQL injection, but also because any key names that are also reserved SQL keywords will lead to errors, and so will spaces or special characters.

E.g. this would be a really bad dictionary to try and turn into columns:

dic = {
    "select": "reserved keyword",
    'use " quotes': "contains special characters",
    "Robert'; DROP TABLE students; --": "There goes your table!",
}

You'd want to use double quotes around the column names to properly escape any problematic values. Any double quotes in the column name should be doubled. So to properly format and escape value, use this:

columns = "({})".format(',\n '.join([
    '"{}"'.format(key.replace('"', '""'))
    for key in dic]))

This, at least, protects you from SQL injections when generating column names:

>>> dic = {
...     "select": "reserved keyword",
...     'use " quotes': "contains special characters",
...     "Robert'; DROP TABLE students; --": "There goes your table!",
... }
>>> columns = "({})".format(',\n '.join([
...     '"{}"'.format(key.replace('"', '""'))
...     for key in dic]))
>>> print(columns)
("select",
 "use "" quotes",
 "Robert'; DROP TABLE students; --")

SQLAlchemy would handle this kind of detail for you, including validating if the column names even exist at all.

Answer 2

print('(%s)' % ',\n '.join(dic.keys()))