FAQ
Hello.

There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.

Could you tell your opinion on that snippet?

<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects.all():
params.append( (manager.id, manager.name, manager.office,
manager.department, manager.salary) )
curs.executemany(sql, params)
</code>

Search Discussions

  • 7stud at Feb 28, 2008 at 11:48 am

    On Feb 28, 4:40?am, Temoto wrote:
    Hello.

    There is a Django application, i need to place all its data into
    Access mdb file and send it to user.
    It seems to me that params filling for statement could be expressed in
    a more beautiful way.
    Since i'm very new to Python, i don't feel that, though.

    Could you tell your opinion on that snippet?

    <code>
    ? ? sql = """insert into salesmanager
    ? ? ? ? (employeeid, name, officelocation, departmentname, salary)
    ? ? ? ? values (?, ?, ?, ?, ?);"""
    ? ? params = []
    ? ? for manager in Manager.objects.all():
    ? ? ? ? params.append( (manager.id, manager.name, manager.office,
    manager.department, manager.salary) )
    ? ? curs.executemany(sql, params)
    </code>
    It's my understanding that the way you insert arguments into queries
    has to be done in a db specific way. If done in that way, your
    queries will be protected against sql injection attacks, AND the query
    strings will be constructed in a more efficient manner.
  • 7stud at Feb 28, 2008 at 11:50 am

    On Feb 28, 4:48?am, 7stud wrote:
    It's my understanding that the way you insert arguments into queries
    has to be done in a db specific way. ?
    Rather:

    It's my understanding that the way you insert arguments into queries
    *should* be done in a db specific way. ?
  • Paul McGuire at Feb 28, 2008 at 12:42 pm

    On Feb 28, 5:40?am, Temoto wrote:
    Hello.

    There is a Django application, i need to place all its data into
    Access mdb file and send it to user.
    It seems to me that params filling for statement could be expressed in
    a more beautiful way.
    Since i'm very new to Python, i don't feel that, though.

    Could you tell your opinion on that snippet?

    <code>
    ? ? sql = """insert into salesmanager
    ? ? ? ? (employeeid, name, officelocation, departmentname, salary)
    ? ? ? ? values (?, ?, ?, ?, ?);"""
    ? ? params = []
    ? ? for manager in Manager.objects.all():
    ? ? ? ? params.append( (manager.id, manager.name, manager.office,
    manager.department, manager.salary) )
    ? ? curs.executemany(sql, params)
    </code>
    Replace:
    params = []
    for manager in Manager.objects.all():
    params.append( (manager.id, manager.name,
    manager.office, manager.department,
    manager.salary) )

    With this list comprehension:

    params = [ (mgr.id, mgr.name, mgr.office,
    mgr.department, mgr.salary)
    for mgr in Manager.objects.all() ]

    But the technique you are using, of creating a params list instead of
    doing explicit string construction, IS the safe SQL-injection-
    resistant way to do this.

    -- Paul
  • Temoto at Feb 28, 2008 at 2:58 pm

    On 28 ???, 15:42, Paul McGuire wrote:
    On Feb 28, 5:40 am, Temoto wrote:


    Hello.
    There is a Django application, i need to place all its data into
    Access mdb file and send it to user.
    It seems to me that params filling for statement could be expressed in
    a more beautiful way.
    Since i'm very new to Python, i don't feel that, though.
    Could you tell your opinion on that snippet?
    <code>
    sql = """insert into salesmanager
    (employeeid, name, officelocation, departmentname, salary)
    values (?, ?, ?, ?, ?);"""
    params = []
    for manager in Manager.objects.all():
    params.append( (manager.id, manager.name, manager.office,
    manager.department, manager.salary) )
    curs.executemany(sql, params)
    </code>
    Replace:
    params = []
    for manager in Manager.objects.all():
    params.append( (manager.id, manager.name,
    manager.office, manager.department,
    manager.salary) )

    With this list comprehension:

    params = [ (mgr.id, mgr.name, mgr.office,
    mgr.department, mgr.salary)
    for mgr in Manager.objects.all() ]

    But the technique you are using, of creating a params list instead of
    doing explicit string construction, IS the safe SQL-injection-
    resistant way to do this.

    -- Paul
    Thanks a lot. I've been actually waiting for a list comprehension.
  • Paul McGuire at Feb 28, 2008 at 4:02 pm

    On Feb 28, 8:58?am, Temoto wrote:
    On 28 ???, 15:42, Paul McGuire wrote:




    On Feb 28, 5:40 am, Temoto wrote:

    Hello.
    There is a Django application, i need to place all its data into
    Access mdb file and send it to user.
    It seems to me that params filling for statement could be expressed in
    a more beautiful way.
    Since i'm very new to Python, i don't feel that, though.
    Could you tell your opinion on that snippet?
    <code>
    ? ? sql = """insert into salesmanager
    ? ? ? ? (employeeid, name, officelocation, departmentname, salary)
    ? ? ? ? values (?, ?, ?, ?, ?);"""
    ? ? params = []
    ? ? for manager in Manager.objects.all():
    ? ? ? ? params.append( (manager.id, manager.name, manager.office,
    manager.department, manager.salary) )
    ? ? curs.executemany(sql, params)
    </code>
    Replace:
    ? ? params = []
    ? ? for manager in Manager.objects.all():
    ? ? ? ? params.append( (manager.id, manager.name,
    ? ? ? ? ? ? ? ? ? ? ? ? manager.office, manager.department,
    ? ? ? ? ? ? ? ? ? ? ? ? manager.salary) )
    With this list comprehension:
    ? ? params = [ (mgr.id, mgr.name, mgr.office,
    ? ? ? ? ? ? ? ? ?mgr.department, mgr.salary)
    ? ? ? ? ? ? ? ? for mgr in Manager.objects.all() ]
    But the technique you are using, of creating a params list instead of
    doing explicit string construction, IS the safe SQL-injection-
    resistant way to do this.
    -- Paul
    Thanks a lot. I've been actually waiting for a list comprehension.- Hide quoted text -

    - Show quoted text -
    In general, whenever you have:

    someNewList = []
    for smthg in someSequence:
    if condition(smthg):
    someNewList.append( elementDerivedFrom(smthg) )

    replace it with:

    someNewList = [ elementDerivedFrom(smthg)
    for smthg in someSequence
    if condition(smthg) ]

    -- Paul
  • Alan Isaac at Feb 29, 2008 at 11:57 pm

    Paul McGuire wrote:

    In general, whenever you have:
    someNewList = []
    for smthg in someSequence:
    if condition(smthg):
    someNewList.append( elementDerivedFrom(smthg) )
    replace it with:
    someNewList = [ elementDerivedFrom(smthg)
    for smthg in someSequence
    if condition(smthg) ]






    What is the gain? (Real question.)

    I think the first is often easier to read.

    Is the second more efficient?



    Also, I think list comprehensions are often easier to read

    as equivalent generator expressions:



    someNewList = list( elementDerivedFrom(smthg)

    for smthg in someSequence

    if condition(smthg) )



    Tastes vary of course.



    Cheers,

    Alan Isaac
  • Paul McGuire at Mar 1, 2008 at 3:14 am

    On Feb 29, 5:57?pm, Alan Isaac wrote:
    Paul McGuire wrote:
    In general, whenever you have:
    ? ? someNewList = []
    ? ? for smthg in someSequence:
    ? ? ? ? if condition(smthg):
    ? ? ? ? ? ? someNewList.append( elementDerivedFrom(smthg) )
    replace it with:
    ? ? someNewList = [ elementDerivedFrom(smthg)
    ? ? ? ? ? ? ? ? ? ? ? for smthg in someSequence
    ? ? ? ? ? ? ? ? ? ? ? ? if condition(smthg) ]
    What is the gain? ?(Real question.)

    I think the first is often easier to read.

    Is the second more efficient?

    Also, I think list comprehensions are often easier to read

    as equivalent generator expressions:

    ? ? ? someNewList = list( elementDerivedFrom(smthg)

    ? ? ? ? ? ? ? ? ? ? ? ? ? ? for smthg in someSequence

    ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? if condition(smthg) )

    Tastes vary of course.

    Cheers,

    Alan Isaac
    I think there is a performance gain in list comps over explicit for
    looping - I'm sure google will turn up some stats for this in this
    newsgroup in the past.

    As for list(<generator-expr>) over [<list-comprehnesion>], that's why
    they make chocolate and vanilla. (I believe that at one time, Guido
    was considering discarding list comps in Py3K, with this list
    +generator expression alternative being the rationale for dropping
    them, but later changed his mind.)

    -- Paul

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedFeb 28, '08 at 11:40a
activeMar 1, '08 at 3:14a
posts8
users4
websitepython.org

People

Translate

site design / logo © 2022 Grokbase