In article <mailman.892.1243603377.8015.python-l...@python.org>,
Tim Chase <python.l...@tim.thechases.com> wrote:
>Aahz wrote:
>> Tim Chase <python.l...@tim.thechases.com> wrote:
>>> To stave off this problem, I often use:
>>>
>>> values = [
>>> data['a'],
>>> data['b'],
>>> data['c'],
>>> data['d'],
>>> data['e'],
>>> data['f'],
>>> data['g'],
>>> ]
>>> params = ', '.join('%s' for _ in values)
>>> query = """
>>> BEGIN;
>>> INSERT INTO table
>>> (a,b,c,d,e,f,g)
>>> VALUES (%s);
>>> COMMIT;
>>> """ % params
>>> self.db.execute(query, values)
>>
>> How do you handle correct SQL escaping?
>
>If you dump "query", you see that "params" (possibly a better
>name would be "place_holders") is merely a list of "%s, %s, %s,
>..., %s" allowing the "execute(query, ***values***)" to properly
>escape the values. The aim is to ensure that
>"count(placeholders) == len(values)" which the OP mentioned was
>the problem.
Right, that's what I get for reading code early in the morning.
--
Aahz (a...@pythoncraft.com) <*> http://www.pythoncraft.com/
my-python-code-runs-5x-faster-this-month-thanks-to-dumping-$2K-
on-a-new-machine-ly y'rs - tim
--
http://mail.python.org/mailman/listinfo/python-list
