insert a dictionary into sql data base
David Bear
david.bear at asu.edu
Mon Dec 5 18:32:34 EST 2005
Fredrik Lundh wrote:
> David Bear wrote
>
>> Fredrik Lundh wrote:
>>
>> > cursor.execute(
>> > "INSERT INTO table (%s) VALUES (%%s);" % (",".join(fields)),
>> > *values
>> > )
>>
>> Thanks for the hint. However, I don't understand the syntax.
>>
>> I will be inserting in to postgresql 8.x. I assumed the entire string
>> would be evaluated prior to being sent to the cursor.
>
> Looks like you missed advice 1-3. I'll take it again: DON'T USE STRING
> FORMATTING TO INSERT VALUES IN A DATABASE. Sorry for shouting,
> but this is important. Parameter passing gives you simpler code, and
> fewer security holes.
>
please, shout until I 'get it'... I don't mind. I just don't understand
using the star in front of the values variable; it generates a syntax
exception for me.
>> However, when I attempt to manual construct the sql insert statment
>> above I get an error:
>>
>> >>> print "INSERT INTO table (%s) VALUES (%%s);" % (",".join(fields),
>> *values)
>> File "<stdin>", line 1
>> print "INSERT INTO table (%s) VALUES (%%s);" % (",".join(fields),
>> *values)
>> ^
>> SyntaxError: invalid syntax
>
> DON'T MANUALLY CONSTRUCT THE SQL INSERT STATEMENT. Use string
> formatting to insert the field names, but let the database layer deal with
> the values.
since I am so new to this, I didn't know the database layer would handle
this for me. Is the evaluation of the fieldname done by the dbapi layer or
by postgresql?
>
> If you want to do things in two steps, do the fields formatting first
>
> query = "INSERT INTO table (%s) VALUES (%%s);" % (",".join(fields))
>
> and pass the query and the values sequence to the database layer:
>
> cursor.execute(query, values)
I found this info on the pgdb interface:
http://www.pygresql.org/pg.html
section 4.7 describes the insert method. It is passed the tablename and a
dictionary. But it doesn't describe how it resolves fieldnames and their
values. I assume the dictionary key MUST correspond to a named field.
>
> The database will take care of the rest.
this is my trouble. I always think I need to do more -- but I can't seem to
find good examples on the http://www.pygresql.org/pgdb.html website.
Do know of any good examples?
>
> </F>
--
David Bear
-- let me buy your intellectual property, I want to own your thoughts --
More information about the Python-list
mailing list