In article <mailman.892.1243603377.8015.python-l...@python.org>, Tim Chase <python.l...@tim.thechases.com> wrote: >Aahz wrote: >> Tim Chase <python.l...@tim.thechases.com> wrote: >>> To stave off this problem, I often use: >>> >>> values = [ >>> data['a'], >>> data['b'], >>> data['c'], >>> data['d'], >>> data['e'], >>> data['f'], >>> data['g'], >>> ] >>> params = ', '.join('%s' for _ in values) >>> query = """ >>> BEGIN; >>> INSERT INTO table >>> (a,b,c,d,e,f,g) >>> VALUES (%s); >>> COMMIT; >>> """ % params >>> self.db.execute(query, values) >> >> How do you handle correct SQL escaping? > >If you dump "query", you see that "params" (possibly a better >name would be "place_holders") is merely a list of "%s, %s, %s, >..., %s" allowing the "execute(query, ***values***)" to properly >escape the values. The aim is to ensure that >"count(placeholders) == len(values)" which the OP mentioned was >the problem.
Right, that's what I get for reading code early in the morning. -- Aahz (a...@pythoncraft.com) <*> http://www.pythoncraft.com/ my-python-code-runs-5x-faster-this-month-thanks-to-dumping-$2K- on-a-new-machine-ly y'rs - tim -- http://mail.python.org/mailman/listinfo/python-list