more pythonic
7stud
bbxx789_05ss at yahoo.com
Thu Feb 28 06:48:31 EST 2008
On Feb 28, 4:40 am, Temoto <temo... at gmail.com> wrote:
> Hello.
>
> There is a Django application, i need to place all its data into
> Access mdb file and send it to user.
> It seems to me that params filling for statement could be expressed in
> a more beautiful way.
> Since i'm very new to Python, i don't feel that, though.
>
> Could you tell your opinion on that snippet?
>
> <code>
> sql = """insert into salesmanager
> (employeeid, name, officelocation, departmentname, salary)
> values (?, ?, ?, ?, ?);"""
> params = []
> for manager in Manager.objects.all():
> params.append( (manager.id, manager.name, manager.office,
> manager.department, manager.salary) )
> curs.executemany(sql, params)
> </code>
It's my understanding that the way you insert arguments into queries
has to be done in a db specific way. If done in that way, your
queries will be protected against sql injection attacks, AND the query
strings will be constructed in a more efficient manner.
More information about the Python-list
mailing list