[DB-SIG] Passing 'pre-quoted' SQL to 'execute'.
Chris Cogdon
chris@cogdon.org
Fri, 28 Mar 2003 17:38:00 -0800
I'm using a particular way of organising my python and SQL that I
think's pretty neat, but I'm wondering if I'm not making things too
difficult for myself, and there's a 'better way' out there I'm unaware
of.
I'm using pyPgSQL. The application is a community artwork site, where
several thousand artists have uploaded 200,000 images.
Firstly, I have a class that handles all my database queries. I've
actually separated parts into different modules, and used a module and
the 'mix-in' methodology to bring them all together so it's one big
interface to the rest of the program. For simplification, I've hidden
those details.
So, here's part of that class:
class VCL_DATABASE:
def get_artists ( self, criteria ):
cur = self.cursor ()
try:
condition = criteria.make_sql_condition ()
cur.execute ( "select * from artist where "+condition )
# The cursor is now turned into a list of artists, code
omitted for brevity
return artists
finally:
cur.close ()
That's pretty simple. The interesting part is where the 'criteria' is
passed to the 'get_artists' function. There are a few such classes and
each can return their SQL conditions however they want. Here's an
example:
class ARTIST_DISPLAYNAME_CRITERIA ( ARTIST_CRITERIA ):
def __init__ ( self, displayname ):
self.displayname = displayname
def make_sql_condition ( self ):
return "displayname="+PgSQL._quote(self.displayname)
There are many more like it, and I also have ways to 'join' the
criteria together. The resultant conditions can be quote complex, and
there's also a way for it to ask the 'select' to join extra tables to
get the criteria it needs. (For example, I might want all artist that
have new artwork in the last 14 days, which would require a join on
several other tables). I've omitted all that code for brevity.
So... my questions are these:
- I'm piecemealing the SQL together from different sources, meaning I
need to quote values using _quote rather then inside the 'execute'
function. I don't like the idea of me using a 'underscored' function,
but there seems to be no way around it. Is there a better way? (The 'as
shipped' pg module has a 'bare' quote function)
- Am I causing more work for myself with the method for the condition
separate from the execute? Do other people find some way of passing all
the necessary values into the 'execute', with all the SQL being
generated at the last moment ?
- I /believe/ that if 'execute' does not see any list or dictionary
following, it does not quote the SQL at all, which is necessary for
this method to work. Is my assumption correct?
Thanks for your attention!
--
("`-/")_.-'"``-._ Chris Cogdon <chris@cogdon.org>
. . `; -._ )-;-,_`)
(v_,)' _ )`-.\ ``-'
_.- _..-_/ / ((.'
((,.-' ((,/ fL