On Feb 28, 5:40 am, Temoto <[EMAIL PROTECTED]> wrote: > Hello. > > There is a Django application, i need to place all its data into > Access mdb file and send it to user. > It seems to me that params filling for statement could be expressed in > a more beautiful way. > Since i'm very new to Python, i don't feel that, though. > > Could you tell your opinion on that snippet? > > <code> > sql = """insert into salesmanager > (employeeid, name, officelocation, departmentname, salary) > values (?, ?, ?, ?, ?);""" > params = [] > for manager in Manager.objects.all(): > params.append( (manager.id, manager.name, manager.office, > manager.department, manager.salary) ) > curs.executemany(sql, params) > </code>
Replace: params = [] for manager in Manager.objects.all(): params.append( (manager.id, manager.name, manager.office, manager.department, manager.salary) ) With this list comprehension: params = [ (mgr.id, mgr.name, mgr.office, mgr.department, mgr.salary) for mgr in Manager.objects.all() ] But the technique you are using, of creating a params list instead of doing explicit string construction, IS the safe SQL-injection- resistant way to do this. -- Paul -- http://mail.python.org/mailman/listinfo/python-list