[Tutor] sqlite3 module

ThreeBlindQuarks threesomequarks at proton.me
Mon Apr 17 22:17:42 EDT 2023 

Dumb question. Is there a reason to assume the keys are not presented in the same order as the values?

Sure, there may be no guarantee. Just as an example, the older version of dictionaries presented the items in no specified order and people who cared, used an ordered dictionary variant. It is now stated the order is maintained as the newest item at the end and deleting items leaves things in order unless a copy is added later and goes to the end.

But if what you say is true and you want a more bulletproof version, would this do?

keys = [ key for key in dict.keys()]

values = [ dict[key] for key in keys ]

Something along those lines would guarantee that a static copy of a dictionary could have a 1:1 correspondence between a list of keys and a list of values for purposes like the SQL statement that specifies additions or updates using one list of each that have to be completely aligned.

Yes, I hear there are generations of tools that allow you to not really know SQL and that can be great or can grate those not very grateful.

BTW, I took Alan's hint and after searching for my darn password, updated my account to send myself a copy of messages. Oddly, it already seemed to be set to do that but I also set the setting to send myself a copy even when I am already a known co-recipient and will see if the software handles anything different.

I think many would like to know when their message has been received. The mailing list maintainers, of course, prefer minimizing how many messages they send out.

They are not on this forum but I wonder if they have considered letting a sender know when a message has had parts removed or changed. I know not to attach but quite a few people posting here have blithely sent attachments and waited to see if anyone can advise them on things they cannot see!


Sent with Proton Mail secure email.

------- Original Message -------
On Monday, April 17th, 2023 at 3:20 PM, Dennis Lee Bieber <wlfraed at ix.netcom.com> wrote:


> On Sun, 16 Apr 2023 17:27:28 -0700, Alex Kleider alexkleider at gmail.com
> 
> declaimed the following:
> 
> > f_values = ", ".join([repr(value) for value in data.values()])
> 
> 
> NO... You want the API placeholder -- which for Python's sqlite3 module
> is simple a ? for each value. There may also be the matter that
> data.values() may not be in the same order as data.keys() (current Python
> does claim that the keys will be returned in the same order if .keys() is
> called multiple times, but I haven't seen if values() uses that order)
> 
> > query = ("INSERT INTO Receipts ({}) VALUES ({});"
> > .format(f_keys, f_values))
> 
> 
> You DO NOT want to stuff the actual data values into the query in this
> manner -- it opens you up to injection attacks
> 
> https://xkcd.com/327/
> 
> It is the responsibility of the API module to sanitize and escape data
> values in accordance with the requirements of the actual database engine.
> (for many years, the MySQL API interface used %s as the placeholder, and
> used % formatting to fill a copy of the query with values -- BUT every
> value was first passed through a sanitizing function which was responsible
> for converting numeric data to string, escaping embedded quotes, etc.)
> 
> > print(query)
> > cursor.execute(query, data)
> 
> 
> Without placeholders, passing "data" does nothing.
> 
> 
> #relying upon .keys() returning the same order on each call
> #list-comprehension may not be needed for the first
> f_keys = ", ".join(list(data.keys()))
> f_values = [data[key] for key in data.keys()]
> placeholder = ", ".join(["?" for _ in data.keys()])
> 
> query = ("INSERT INTO Receipts ({}) VALUES ({});"
> .format(f_keys, placeholder))
> 
> cursor.execute(query, f_values)
> 
> _______________________________________________
> Tutor maillist - Tutor at python.org
> To unsubscribe or change subscription options:
> https://mail.python.org/mailman/listinfo/tutor

More information about the Tutor mailing list