Also, if I'm not mistaken, when you use the database api, the input validation steps are taken care of by the framework, you don't just tell in the models what format fields should be in the database, but at the same time are telling the framework what input it should accept for that field. If a field is EmailField, it'll only accept an actual [EMAIL PROTECTED] type input. It'll also escape everything correctly for you.
Why is this important you ask? Using the database api almost completely removes all the SQL injection whoes developers have so they can focus on the important stuff. The philosophy behind django is to automate the repetitive and boring stuff from developing highend websites. I for one am very happy with this because I spent most of my PHP development time fixing SQL injection bugs in peoples apps (writing loads and loads of validation code) and creating admin interfaces for websites that up to that point used nothing but phpMyAdmin to do the administration of their sites. If your going to use pure SQL instead, you don't just have to write all those query's (in the long run, when using the API you'll end up writing much less code), but will also have to write routines to clean up the input into your app, while they are already part of the framework On Aug 13, 11:20 pm, "James Bennett" <[EMAIL PROTECTED]> wrote: > On 8/13/07, Amirouche <[EMAIL PROTECTED]> wrote: > > > What do you mean, I can't understand. > > OK, suppose you are running an online store, so you have a database > table "orders", which lists orders customers have placed, and another > "addresses" which lists the addresses to ship the orders to. To > calculate the shipping cost for an order, you need the total amount of > the order and the address it ships to; calculating it with an > application which does pure raw SQL looks like this: > > query = "SELECT orders.amount, addresses.address FROM orders INNER > JOIN addresses ON addresses.id = orders.address_id WHERE orders.id = > %s" > cursor.execute(query, [23]) > row = cursor.fetchall()[0] > shipping_amount = calculate_shipping(amount=row[0], address=row[1]) > > Doing it with an ORM looks like this: > > order = Order.objects.get(id=23) > shipping_amount = order.calculate_shipping() > > The fact that the ORM automatically gives you instances of > domain-specific classes means that you immediately have access to your > customized business logic, and that you can encapsulate it in those > classes and rely on their availability, which improves the design of > your code. It also significantly cuts down the amount of code you need > to write, and makes it clearer what's going on: you're calculating the > shipping price of Order #23. > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
