Newbie needs Help

John Machin sjmachin at lexicon.net
Wed Aug 16 23:58:42 EDT 2006 

len wrote:
> Hi all
>
> I am writing a python program that inserts records into a database on
> XP using mxODBC.
>
> I need to write a section of code which will create the following SQL
> command as an example;
>
> INSERT INTO statecode (state, name) VALUES ('IL', 'Illinois')
>
> This statement will be built up using the following code;
>
> import mx.ODBC
> import mx.ODBC.Windows
> def insertFromDict(table, dict):
>     """Take dictionary object dict and produce sql for
>     inserting it into the named table"""
>     sql = 'INSERT INTO ' + table
>     sql += ' ('
>     sql += ', '.join(dict)
>     sql += ') VALUES ('
>     sql += ', '.join(map(dictValuePad, dict))     # ??? this code does
> NOT format correctly
>     sql += ')'
>     return sql
>
> def dictValuePad(key):                                # ??? this code
> does Not format correctly
>     return "'" + str(key) + "'"
>
> db = mx.ODBC.Windows.DriverConnect('dsn=UICPS Test')
> c = db.cursor()
> insert_dict = {'state':'IL', 'name':'Illinois'}
> sql = insertFromDict("statecode", insert_dict)
> print sql
> c.execute(sql)
>

The code below will do what you say that you want to do -- so long as
all your columns are strings (varchar or whatever in SQL terms).
Otherwise IMHO you would be much better off doing it this way:
    sql = "insert into policy (type, premium) values(?, ?)"
    data = ('building', 123.45)
    cursor.execute(sql, data)
for two reasons:
(1) let the ODBC kit worry about formatting dates, strings with
embedded single quotes, etc
(2) it can be more efficient; the sql is constant and needs to be
parsed only once
(3) [bonus extra reason] the way you are doing it is vulnerable to
what's called an "SQL injection attack"; although you have no doubt
eyeballed all the data, doing it that way is a bad habit to get into.

You should be able to modify the supplied code very easily to produce
the sql variety with "?" in it.

HTH,
John

C:\junk>type sqlinsdict.py
def sqlquote(astring):
    return "'" + astring.replace("'", "''") + "'"

def insertFromDict(table, adict):
    """Take dictionary object dict and produce sql for
    inserting it into the named table.
    Sample input:
    insert_dict = {'state':'IL', 'name':'Illinois'}
    sql = insertFromDict("statecode", insert_dict)
    Required output:
    INSERT INTO statecode (state, name) VALUES ('IL', 'Illinois')
    """

    t = [
        'INSERT INTO ',
        table,
        ' (',
        ', '.join(adict.keys()),
        ') VALUES (',
        ', '.join(sqlquote(x) for x in adict.values()),
        ')',
        ]
    return ''.join(t)

if __name__ == "__main__":
    tests = [
        ('IL', 'Illinois'),
        ('OH', "O'Hara"),
        ]
    cols = ['state', 'name']
    for test in tests:
        the_dict = dict(zip(cols, test))
        print the_dict
        print insertFromDict('statecode', the_dict)

C:\junk>sqlinsdict.py
{'state': 'IL', 'name': 'Illinois'}
INSERT INTO statecode (state, name) VALUES ('IL', 'Illinois')
{'state': 'OH', 'name': "O'Hara"}
INSERT INTO statecode (state, name) VALUES ('OH', 'O''Hara')

More information about the Python-list mailing list