more pythonic
Paul McGuire
ptmcg at austin.rr.com
Thu Feb 28 07:42:02 EST 2008
On Feb 28, 5:40 am, Temoto <temo... at gmail.com> wrote:
> Hello.
>
> There is a Django application, i need to place all its data into
> Access mdb file and send it to user.
> It seems to me that params filling for statement could be expressed in
> a more beautiful way.
> Since i'm very new to Python, i don't feel that, though.
>
> Could you tell your opinion on that snippet?
>
> <code>
> sql = """insert into salesmanager
> (employeeid, name, officelocation, departmentname, salary)
> values (?, ?, ?, ?, ?);"""
> params = []
> for manager in Manager.objects.all():
> params.append( (manager.id, manager.name, manager.office,
> manager.department, manager.salary) )
> curs.executemany(sql, params)
> </code>
Replace:
params = []
for manager in Manager.objects.all():
params.append( (manager.id, manager.name,
manager.office, manager.department,
manager.salary) )
With this list comprehension:
params = [ (mgr.id, mgr.name, mgr.office,
mgr.department, mgr.salary)
for mgr in Manager.objects.all() ]
But the technique you are using, of creating a params list instead of
doing explicit string construction, IS the safe SQL-injection-
resistant way to do this.
-- Paul
More information about the Python-list
mailing list