temotor at gmail.com
Thu Feb 28 15:58:44 CET 2008
On 28 фев, 15:42, Paul McGuire <pt... at austin.rr.com> wrote:
> On Feb 28, 5:40 am, Temoto <temo... at gmail.com> wrote:
> > Hello.
> > There is a Django application, i need to place all its data into
> > Access mdb file and send it to user.
> > It seems to me that params filling for statement could be expressed in
> > a more beautiful way.
> > Since i'm very new to Python, i don't feel that, though.
> > Could you tell your opinion on that snippet?
> > <code>
> > sql = """insert into salesmanager
> > (employeeid, name, officelocation, departmentname, salary)
> > values (?, ?, ?, ?, ?);"""
> > params = 
> > for manager in Manager.objects.all():
> > params.append( (manager.id, manager.name, manager.office,
> > manager.department, manager.salary) )
> > curs.executemany(sql, params)
> > </code>
> params = 
> for manager in Manager.objects.all():
> params.append( (manager.id, manager.name,
> manager.office, manager.department,
> manager.salary) )
> With this list comprehension:
> params = [ (mgr.id, mgr.name, mgr.office,
> mgr.department, mgr.salary)
> for mgr in Manager.objects.all() ]
> But the technique you are using, of creating a params list instead of
> doing explicit string construction, IS the safe SQL-injection-
> resistant way to do this.
> -- Paul
Thanks a lot. I've been actually waiting for a list comprehension.
More information about the Python-list