[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.python

more pythonic

Temoto

2/28/2008 11:41:00 AM

Hello.

There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.

Could you tell your opinion on that snippet?

<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects.all():
params.append( (manager.id, manager.name, manager.office,
manager.department, manager.salary) )
curs.executemany(sql, params)
</code>
7 Answers

7stud --

2/28/2008 11:49:00 AM

0

On Feb 28, 4:40 am, Temoto <temo...@gmail.com> wrote:
> Hello.
>
> There is a Django application, i need to place all its data into
> Access mdb file and send it to user.
> It seems to me that params filling for statement could be expressed in
> a more beautiful way.
> Since i'm very new to Python, i don't feel that, though.
>
> Could you tell your opinion on that snippet?
>
> <code>
>     sql = """insert into salesmanager
>         (employeeid, name, officelocation, departmentname, salary)
>         values (?, ?, ?, ?, ?);"""
>     params = []
>     for manager in Manager.objects.all():
>         params.append( (manager.id, manager.name, manager.office,
> manager.department, manager.salary) )
>     curs.executemany(sql, params)
> </code>

It's my understanding that the way you insert arguments into queries
has to be done in a db specific way. If done in that way, your
queries will be protected against sql injection attacks, AND the query
strings will be constructed in a more efficient manner.

7stud --

2/28/2008 11:51:00 AM

0

On Feb 28, 4:48 am, 7stud <bbxx789_0...@yahoo.com> wrote:
>
> It's my understanding that the way you insert arguments into queries
> has to be done in a db specific way.  
>

Rather:

It's my understanding that the way you insert arguments into queries
*should* be done in a db specific way.  

Paul McGuire

2/28/2008 12:42:00 PM

0

On Feb 28, 5:40 am, Temoto <temo...@gmail.com> wrote:
> Hello.
>
> There is a Django application, i need to place all its data into
> Access mdb file and send it to user.
> It seems to me that params filling for statement could be expressed in
> a more beautiful way.
> Since i'm very new to Python, i don't feel that, though.
>
> Could you tell your opinion on that snippet?
>
> <code>
>     sql = """insert into salesmanager
>         (employeeid, name, officelocation, departmentname, salary)
>         values (?, ?, ?, ?, ?);"""
>     params = []
>     for manager in Manager.objects.all():
>         params.append( (manager.id, manager.name, manager.office,
> manager.department, manager.salary) )
>     curs.executemany(sql, params)
> </code>

Replace:
params = []
for manager in Manager.objects.all():
params.append( (manager.id, manager.name,
manager.office, manager.department,
manager.salary) )

With this list comprehension:

params = [ (mgr.id, mgr.name, mgr.office,
mgr.department, mgr.salary)
for mgr in Manager.objects.all() ]

But the technique you are using, of creating a params list instead of
doing explicit string construction, IS the safe SQL-injection-
resistant way to do this.

-- Paul

Temoto

2/28/2008 2:59:00 PM

0

On 28 ???, 15:42, Paul McGuire <pt...@austin.rr.com> wrote:
> On Feb 28, 5:40 am, Temoto <temo...@gmail.com> wrote:
>
>
>
> > Hello.
>
> > There is a Django application, i need to place all its data into
> > Access mdb file and send it to user.
> > It seems to me that params filling for statement could be expressed in
> > a more beautiful way.
> > Since i'm very new to Python, i don't feel that, though.
>
> > Could you tell your opinion on that snippet?
>
> > <code>
> > sql = """insert into salesmanager
> > (employeeid, name, officelocation, departmentname, salary)
> > values (?, ?, ?, ?, ?);"""
> > params = []
> > for manager in Manager.objects.all():
> > params.append( (manager.id, manager.name, manager.office,
> > manager.department, manager.salary) )
> > curs.executemany(sql, params)
> > </code>
>
> Replace:
> params = []
> for manager in Manager.objects.all():
> params.append( (manager.id, manager.name,
> manager.office, manager.department,
> manager.salary) )
>
> With this list comprehension:
>
> params = [ (mgr.id, mgr.name, mgr.office,
> mgr.department, mgr.salary)
> for mgr in Manager.objects.all() ]
>
> But the technique you are using, of creating a params list instead of
> doing explicit string construction, IS the safe SQL-injection-
> resistant way to do this.
>
> -- Paul

Thanks a lot. I've been actually waiting for a list comprehension.

Paul McGuire

2/28/2008 4:02:00 PM

0

On Feb 28, 8:58 am, Temoto <temo...@gmail.com> wrote:
> On 28 ÆÅ×, 15:42, Paul McGuire <pt...@austin.rr.com> wrote:
>
>
>
>
>
> > On Feb 28, 5:40 am, Temoto <temo...@gmail.com> wrote:
>
> > > Hello.
>
> > > There is a Django application, i need to place all its data into
> > > Access mdb file and send it to user.
> > > It seems to me that params filling for statement could be expressed in
> > > a more beautiful way.
> > > Since i'm very new to Python, i don't feel that, though.
>
> > > Could you tell your opinion on that snippet?
>
> > > <code>
> > >     sql = """insert into salesmanager
> > >         (employeeid, name, officelocation, departmentname, salary)
> > >         values (?, ?, ?, ?, ?);"""
> > >     params = []
> > >     for manager in Manager.objects.all():
> > >         params.append( (manager.id, manager.name, manager.office,
> > > manager.department, manager.salary) )
> > >     curs.executemany(sql, params)
> > > </code>
>
> > Replace:
> >     params = []
> >     for manager in Manager.objects.all():
> >         params.append( (manager.id, manager.name,
> >                         manager.office, manager.department,
> >                         manager.salary) )
>
> > With this list comprehension:
>
> >     params = [ (mgr.id, mgr.name, mgr.office,
> >                  mgr.department, mgr.salary)
> >                 for mgr in Manager.objects.all() ]
>
> > But the technique you are using, of creating a params list instead of
> > doing explicit string construction, IS the safe SQL-injection-
> > resistant way to do this.
>
> > -- Paul
>
> Thanks a lot. I've been actually waiting for a list comprehension.- Hide quoted text -
>
> - Show quoted text -

In general, whenever you have:

someNewList = []
for smthg in someSequence:
if condition(smthg):
someNewList.append( elementDerivedFrom(smthg) )

replace it with:

someNewList = [ elementDerivedFrom(smthg)
for smthg in someSequence
if condition(smthg) ]

-- Paul

Alan G Isaac

2/29/2008 11:57:00 PM

0

Paul McGuire wrote:

> In general, whenever you have:

> someNewList = []

> for smthg in someSequence:

> if condition(smthg):

> someNewList.append( elementDerivedFrom(smthg) )



> replace it with:

> someNewList = [ elementDerivedFrom(smthg)

> for smthg in someSequence

> if condition(smthg) ]







What is the gain? (Real question.)

I think the first is often easier to read.

Is the second more efficient?



Also, I think list comprehensions are often easier to read

as equivalent generator expressions:



someNewList = list( elementDerivedFrom(smthg)

for smthg in someSequence

if condition(smthg) )



Tastes vary of course.



Cheers,

Alan Isaac

Paul McGuire

3/1/2008 3:15:00 AM

0

On Feb 29, 5:57 pm, Alan Isaac <ais...@american.edu> wrote:
> Paul McGuire wrote:
> > In general, whenever you have:
> >     someNewList = []
> >     for smthg in someSequence:
> >         if condition(smthg):
> >             someNewList.append( elementDerivedFrom(smthg) )
> > replace it with:
> >     someNewList = [ elementDerivedFrom(smthg)
> >                       for smthg in someSequence
> >                         if condition(smthg) ]
>
> What is the gain?  (Real question.)
>
> I think the first is often easier to read.
>
> Is the second more efficient?
>
> Also, I think list comprehensions are often easier to read
>
> as equivalent generator expressions:
>
>       someNewList = list( elementDerivedFrom(smthg)
>
>                             for smthg in someSequence
>
>                               if condition(smthg) )
>
> Tastes vary of course.
>
> Cheers,
>
> Alan Isaac

I think there is a performance gain in list comps over explicit for
looping - I'm sure google will turn up some stats for this in this
newsgroup in the past.

As for list(<generator-expr>) over [<list-comprehnesion>], that's why
they make chocolate and vanilla. (I believe that at one time, Guido
was considering discarding list comps in Py3K, with this list
+generator expression alternative being the rationale for dropping
them, but later changed his mind.)

-- Paul