more pythonic

Temoto temotor at gmail.com
Thu Feb 28 15:58:44 CET 2008


On 28 фев, 15:42, Paul McGuire <pt... at austin.rr.com> wrote:
> On Feb 28, 5:40 am, Temoto <temo... at gmail.com> wrote:
>
>
>
> > Hello.
>
> > There is a Django application, i need to place all its data into
> > Access mdb file and send it to user.
> > It seems to me that params filling for statement could be expressed in
> > a more beautiful way.
> > Since i'm very new to Python, i don't feel that, though.
>
> > Could you tell your opinion on that snippet?
>
> > <code>
> >     sql = """insert into salesmanager
> >         (employeeid, name, officelocation, departmentname, salary)
> >         values (?, ?, ?, ?, ?);"""
> >     params = []
> >     for manager in Manager.objects.all():
> >         params.append( (manager.id, manager.name, manager.office,
> > manager.department, manager.salary) )
> >     curs.executemany(sql, params)
> > </code>
>
> Replace:
>     params = []
>     for manager in Manager.objects.all():
>         params.append( (manager.id, manager.name,
>                         manager.office, manager.department,
>                         manager.salary) )
>
> With this list comprehension:
>
>     params = [ (mgr.id, mgr.name, mgr.office,
>                  mgr.department, mgr.salary)
>                 for mgr in Manager.objects.all() ]
>
> But the technique you are using, of creating a params list instead of
> doing explicit string construction, IS the safe SQL-injection-
> resistant way to do this.
>
> -- Paul

Thanks a lot. I've been actually waiting for a list comprehension.



More information about the Python-list mailing list