more pythonic

Discussion in 'Python' started by Temoto, Feb 28, 2008.

  1. Temoto

    Temoto Guest

    Hello.

    There is a Django application, i need to place all its data into
    Access mdb file and send it to user.
    It seems to me that params filling for statement could be expressed in
    a more beautiful way.
    Since i'm very new to Python, i don't feel that, though.

    Could you tell your opinion on that snippet?

    <code>
    sql = """insert into salesmanager
    (employeeid, name, officelocation, departmentname, salary)
    values (?, ?, ?, ?, ?);"""
    params = []
    for manager in Manager.objects.all():
    params.append( (manager.id, manager.name, manager.office,
    manager.department, manager.salary) )
    curs.executemany(sql, params)
    </code>
    Temoto, Feb 28, 2008
    #1
    1. Advertising

  2. Temoto

    7stud Guest

    On Feb 28, 4:40 am, Temoto <> wrote:
    > Hello.
    >
    > There is a Django application, i need to place all its data into
    > Access mdb file and send it to user.
    > It seems to me that params filling for statement could be expressed in
    > a more beautiful way.
    > Since i'm very new to Python, i don't feel that, though.
    >
    > Could you tell your opinion on that snippet?
    >
    > <code>
    >     sql = """insert into salesmanager
    >         (employeeid, name, officelocation, departmentname, salary)
    >         values (?, ?, ?, ?, ?);"""
    >     params = []
    >     for manager in Manager.objects.all():
    >         params.append( (manager.id, manager.name, manager.office,
    > manager.department, manager.salary) )
    >     curs.executemany(sql, params)
    > </code>


    It's my understanding that the way you insert arguments into queries
    has to be done in a db specific way. If done in that way, your
    queries will be protected against sql injection attacks, AND the query
    strings will be constructed in a more efficient manner.
    7stud, Feb 28, 2008
    #2
    1. Advertising

  3. Temoto

    7stud Guest

    On Feb 28, 4:48 am, 7stud <> wrote:
    >
    > It's my understanding that the way you insert arguments into queries
    > has to be done in a db specific way.  
    >


    Rather:

    It's my understanding that the way you insert arguments into queries
    *should* be done in a db specific way.  
    7stud, Feb 28, 2008
    #3
  4. Temoto

    Paul McGuire Guest

    On Feb 28, 5:40 am, Temoto <> wrote:
    > Hello.
    >
    > There is a Django application, i need to place all its data into
    > Access mdb file and send it to user.
    > It seems to me that params filling for statement could be expressed in
    > a more beautiful way.
    > Since i'm very new to Python, i don't feel that, though.
    >
    > Could you tell your opinion on that snippet?
    >
    > <code>
    >     sql = """insert into salesmanager
    >         (employeeid, name, officelocation, departmentname, salary)
    >         values (?, ?, ?, ?, ?);"""
    >     params = []
    >     for manager in Manager.objects.all():
    >         params.append( (manager.id, manager.name, manager.office,
    > manager.department, manager.salary) )
    >     curs.executemany(sql, params)
    > </code>


    Replace:
    params = []
    for manager in Manager.objects.all():
    params.append( (manager.id, manager.name,
    manager.office, manager.department,
    manager.salary) )

    With this list comprehension:

    params = [ (mgr.id, mgr.name, mgr.office,
    mgr.department, mgr.salary)
    for mgr in Manager.objects.all() ]

    But the technique you are using, of creating a params list instead of
    doing explicit string construction, IS the safe SQL-injection-
    resistant way to do this.

    -- Paul
    Paul McGuire, Feb 28, 2008
    #4
  5. Temoto

    Temoto Guest

    On 28 ÆÅ×, 15:42, Paul McGuire <> wrote:
    > On Feb 28, 5:40 am, Temoto <> wrote:
    >
    >
    >
    > > Hello.

    >
    > > There is a Django application, i need to place all its data into
    > > Access mdb file and send it to user.
    > > It seems to me that params filling for statement could be expressed in
    > > a more beautiful way.
    > > Since i'm very new to Python, i don't feel that, though.

    >
    > > Could you tell your opinion on that snippet?

    >
    > > <code>
    > > sql = """insert into salesmanager
    > > (employeeid, name, officelocation, departmentname, salary)
    > > values (?, ?, ?, ?, ?);"""
    > > params = []
    > > for manager in Manager.objects.all():
    > > params.append( (manager.id, manager.name, manager.office,
    > > manager.department, manager.salary) )
    > > curs.executemany(sql, params)
    > > </code>

    >
    > Replace:
    > params = []
    > for manager in Manager.objects.all():
    > params.append( (manager.id, manager.name,
    > manager.office, manager.department,
    > manager.salary) )
    >
    > With this list comprehension:
    >
    > params = [ (mgr.id, mgr.name, mgr.office,
    > mgr.department, mgr.salary)
    > for mgr in Manager.objects.all() ]
    >
    > But the technique you are using, of creating a params list instead of
    > doing explicit string construction, IS the safe SQL-injection-
    > resistant way to do this.
    >
    > -- Paul


    Thanks a lot. I've been actually waiting for a list comprehension.
    Temoto, Feb 28, 2008
    #5
  6. Temoto

    Paul McGuire Guest

    On Feb 28, 8:58 am, Temoto <> wrote:
    > On 28 ÆÅ×, 15:42, Paul McGuire <> wrote:
    >
    >
    >
    >
    >
    > > On Feb 28, 5:40 am, Temoto <> wrote:

    >
    > > > Hello.

    >
    > > > There is a Django application, i need to place all its data into
    > > > Access mdb file and send it to user.
    > > > It seems to me that params filling for statement could be expressed in
    > > > a more beautiful way.
    > > > Since i'm very new to Python, i don't feel that, though.

    >
    > > > Could you tell your opinion on that snippet?

    >
    > > > <code>
    > > >     sql = """insert into salesmanager
    > > >         (employeeid, name, officelocation, departmentname, salary)
    > > >         values (?, ?, ?, ?, ?);"""
    > > >     params = []
    > > >     for manager in Manager.objects.all():
    > > >         params.append( (manager.id, manager.name, manager.office,
    > > > manager.department, manager.salary) )
    > > >     curs.executemany(sql, params)
    > > > </code>

    >
    > > Replace:
    > >     params = []
    > >     for manager in Manager.objects.all():
    > >         params.append( (manager.id, manager.name,
    > >                         manager.office, manager.department,
    > >                         manager.salary) )

    >
    > > With this list comprehension:

    >
    > >     params = [ (mgr.id, mgr.name, mgr.office,
    > >                  mgr.department, mgr.salary)
    > >                 for mgr in Manager.objects.all() ]

    >
    > > But the technique you are using, of creating a params list instead of
    > > doing explicit string construction, IS the safe SQL-injection-
    > > resistant way to do this.

    >
    > > -- Paul

    >
    > Thanks a lot. I've been actually waiting for a list comprehension.- Hide quoted text -
    >
    > - Show quoted text -


    In general, whenever you have:

    someNewList = []
    for smthg in someSequence:
    if condition(smthg):
    someNewList.append( elementDerivedFrom(smthg) )

    replace it with:

    someNewList = [ elementDerivedFrom(smthg)
    for smthg in someSequence
    if condition(smthg) ]

    -- Paul
    Paul McGuire, Feb 28, 2008
    #6
  7. Temoto

    Alan Isaac Guest

    Paul McGuire wrote:

    > In general, whenever you have:


    > someNewList = []


    > for smthg in someSequence:


    > if condition(smthg):


    > someNewList.append( elementDerivedFrom(smthg) )




    > replace it with:


    > someNewList = [ elementDerivedFrom(smthg)


    > for smthg in someSequence


    > if condition(smthg) ]








    What is the gain? (Real question.)

    I think the first is often easier to read.

    Is the second more efficient?



    Also, I think list comprehensions are often easier to read

    as equivalent generator expressions:



    someNewList = list( elementDerivedFrom(smthg)

    for smthg in someSequence

    if condition(smthg) )



    Tastes vary of course.



    Cheers,

    Alan Isaac
    Alan Isaac, Feb 29, 2008
    #7
  8. Temoto

    Paul McGuire Guest

    On Feb 29, 5:57 pm, Alan Isaac <> wrote:
    > Paul McGuire wrote:
    > > In general, whenever you have:
    > >     someNewList = []
    > >     for smthg in someSequence:
    > >         if condition(smthg):
    > >             someNewList.append( elementDerivedFrom(smthg) )
    > > replace it with:
    > >     someNewList = [ elementDerivedFrom(smthg)
    > >                       for smthg in someSequence
    > >                         if condition(smthg) ]

    >
    > What is the gain?  (Real question.)
    >
    > I think the first is often easier to read.
    >
    > Is the second more efficient?
    >
    > Also, I think list comprehensions are often easier to read
    >
    > as equivalent generator expressions:
    >
    >       someNewList = list( elementDerivedFrom(smthg)
    >
    >                             for smthg in someSequence
    >
    >                               if condition(smthg) )
    >
    > Tastes vary of course.
    >
    > Cheers,
    >
    > Alan Isaac


    I think there is a performance gain in list comps over explicit for
    looping - I'm sure google will turn up some stats for this in this
    newsgroup in the past.

    As for list(<generator-expr>) over [<list-comprehnesion>], that's why
    they make chocolate and vanilla. (I believe that at one time, Guido
    was considering discarding list comps in Py3K, with this list
    +generator expression alternative being the rationale for dropping
    them, but later changed his mind.)

    -- Paul
    Paul McGuire, Mar 1, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. gabor
    Replies:
    15
    Views:
    426
    Jorgen Grahn
    Sep 17, 2005
  2. rh0dium
    Replies:
    1
    Views:
    248
    George Sakkis
    Jan 18, 2006
  3. Carl J. Van Arsdall
    Replies:
    4
    Views:
    500
    Bruno Desthuilliers
    Feb 7, 2006
  4. Pythor

    More pythonic circle?

    Pythor, Apr 9, 2006, in forum: Python
    Replies:
    14
    Views:
    617
    John Machin
    Apr 10, 2006
  5. robert
    Replies:
    0
    Views:
    257
    robert
    Jun 3, 2006
Loading...

Share This Page