On Thu, Jul 11, 2013 at 4:30 PM, Richard Gomes <rgomes.i...@gmail.com> wrote:
> hello,
>
> I've previously defined inserts and updates by hand in my application, which
> is working fine, not using SQLAlchemy at the moment.
> At this point, I'd like to employ SQLAlchemy to generate these inserts and
> updates for me. And that's all.
> I mean: just generate the queries for me. I'm not going to execute via
> SQLAlchemy at this point.
>
>
> I did the test below:
>
> engine = create_engine('postgresql://localhost/sample')
> metadata = MetaData()
> metadata.bind = engine
> t = metadata.tables['company_valuation_measures']
> print(str(
> t.update().values(trailing_pe=1.0).where(t.c.symbol=='dummy').where(t.c.date=='dummy')
> ))
>
>
> I obtained:
>
> UPDATE company_valuation_measures
> SET trailing_pe=%(trailing_pe)s
> WHERE company_valuation_measures.symbol = %(symbol_1)s AND
> company_valuation_measures.date = %(date_1)s
>
>
> The trouble is: field names are 'symbol' and 'date', not 'symbol_1', not
> 'date_1'.
>
> Could someone point out what I'm doing wrong?
>SQLAlchemy uses bind parameters when executing SQL - ie. the values don't get substituted into the SQL string, but get passed to the underlying DBAPI module separately. This is generally what you want, as bind parameters avoid potential SQL-injection security holes. There is a recipe on the wiki for getting the SQL string with the parameters inserted, but you should read the warning at the top carefully and fully understand the dangers: http://www.sqlalchemy.org/trac/wiki/UsageRecipes/BindsAsStrings Hope that helps, Simon -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at http://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/groups/opt_out.
