formating query with empty parameter

Aahz aahz at pythoncraft.com
Fri May 29 17:23:00 CEST 2009


In article <mailman.892.1243603377.8015.python-list at python.org>,
Tim Chase  <python.list at tim.thechases.com> wrote:
>Aahz wrote:
>> Tim Chase  <python.list at tim.thechases.com> wrote:
>>> To stave off this problem, I often use:
>>>
>>>   values = [
>>>    data['a'],
>>>    data['b'],
>>>    data['c'],
>>>    data['d'],
>>>    data['e'],
>>>    data['f'],
>>>    data['g'],
>>>    ]
>>>   params = ', '.join('%s' for _ in values)
>>>   query = """
>>>     BEGIN;
>>>       INSERT INTO table
>>>         (a,b,c,d,e,f,g)
>>>       VALUES (%s);
>>>     COMMIT;
>>>     """ % params
>>>   self.db.execute(query, values)
>> 
>> How do you handle correct SQL escaping?
>
>If you dump "query", you see that "params" (possibly a better 
>name would be "place_holders") is merely a list of "%s, %s, %s, 
>..., %s" allowing the "execute(query, ***values***)" to properly 
>escape the values.  The aim is to ensure that 
>"count(placeholders) == len(values)" which the OP mentioned was 
>the problem.

Right, that's what I get for reading code early in the morning.
-- 
Aahz (aahz at pythoncraft.com)           <*>         http://www.pythoncraft.com/

my-python-code-runs-5x-faster-this-month-thanks-to-dumping-$2K-
    on-a-new-machine-ly y'rs  - tim



More information about the Python-list mailing list