formating query with empty parameter
aahz at pythoncraft.com
Fri May 29 17:23:00 CEST 2009
In article <mailman.892.1243603377.8015.python-list at python.org>,
Tim Chase <python.list at tim.thechases.com> wrote:
>> Tim Chase <python.list at tim.thechases.com> wrote:
>>> To stave off this problem, I often use:
>>> values = [
>>> params = ', '.join('%s' for _ in values)
>>> query = """
>>> INSERT INTO table
>>> VALUES (%s);
>>> """ % params
>>> self.db.execute(query, values)
>> How do you handle correct SQL escaping?
>If you dump "query", you see that "params" (possibly a better
>name would be "place_holders") is merely a list of "%s, %s, %s,
>..., %s" allowing the "execute(query, ***values***)" to properly
>escape the values. The aim is to ensure that
>"count(placeholders) == len(values)" which the OP mentioned was
Right, that's what I get for reading code early in the morning.
Aahz (aahz at pythoncraft.com) <*> http://www.pythoncraft.com/
on-a-new-machine-ly y'rs - tim
More information about the Python-list