oracle : sql command does not complete correctly

Question

I tried to update a table from xsls file, but the problem is that I have space when I parse the lines.

Function:

def updateclientadress(nom, cnom, cplt_adr, adr, lieudit, cp, ville, numcli):
   #nom = str(nom)
   query = "update d_client set NOM = {}, CNOM = {}, CRUE = {}, RUE = {}, COMMUNE = {}, CODPOST = {}, VILLE = {} where NUMCLI = {}".format(nom, cnom, cplt_adr, adr, lieudit, cp, ville, numcli)
   print(query)
   cursorOracle.execute(query)

Printing the query:

update d_client set NOM = STE SAS GIG, CNOM = nan, CRUE = Zone Industrielle de Pariacabo, RUE = Rue, COMMUNE = BP 81, CODPOST = nan, VILLE = nan where NUMCLI = 270

As you can see, there are spaces in "NOM", "CRUE", so the oracle doesn't accept the update status,

The Error:

error:ORA-00933: la commande SQL ne se termine pas correctement

Note that the variable is extracted from an excel file. And the goal is to parse the 200k lines to update the database.

Answer 1

NEVER use string concatenation (or template strings) to build queries; that is how you introduce SQL injection vulnerabilities.

Instead, you should use a parameterised query and bind variables:

def updateclientadress(nom, cnom, cplt_adr, adr, lieudit, cp, ville, numcli):
   query = "update d_client set NOM = :1, CNOM = :2, CRUE = :3, RUE = :4, COMMUNE = :5, CODPOST = :6, VILLE = :7 where NUMCLI = :8"
   cursorOracle.execute(query, [nom, cnom, cplt_adr, adr, lieudit, cp, ville, numcli])