more pythonic

**7stud** · Feb 28 '08, 11:55 AM

Re: more pythonic

On Feb 28, 4:40 am, Temoto <temo...@gmail. comwrote:

Hello.
>
There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.
>
Could you tell your opinion on that snippet?
>
<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name, manager.office,
manager.departm ent, manager.salary) )
curs.executeman y(sql, params)
</code>

It's my understanding that the way you insert arguments into queries
has to be done in a db specific way. If done in that way, your
queries will be protected against sql injection attacks, AND the query
strings will be constructed in a more efficient manner.

**7stud** · Feb 28 '08, 11:55 AM

Re: more pythonic

On Feb 28, 4:48 am, 7stud <bbxx789_0...@y ahoo.comwrote:

>
It's my understanding that the way you insert arguments into queries
has to be done in a db specific way.
>

Rather:

It's my understanding that the way you insert arguments into queries
*should* be done in a db specific way.

**Paul McGuire** · Feb 28 '08, 12:45 PM

Re: more pythonic

On Feb 28, 5:40 am, Temoto <temo...@gmail. comwrote:

Hello.
>
There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.
>
Could you tell your opinion on that snippet?
>
<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name, manager.office,
manager.departm ent, manager.salary) )
curs.executeman y(sql, params)
</code>

Replace:
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name,
manager.office, manager.departm ent,
manager.salary) )

With this list comprehension:

params = [ (mgr.id, mgr.name, mgr.office,
mgr.department, mgr.salary)
for mgr in Manager.objects .all() ]

But the technique you are using, of creating a params list instead of
doing explicit string construction, IS the safe SQL-injection-
resistant way to do this.

-- Paul

**Temoto** · Feb 28 '08, 03:05 PM

Re: more pythonic

On 28 ÆÅ×, 15:42, Paul McGuire <pt...@austin.r r.comwrote:

On Feb 28, 5:40 am, Temoto <temo...@gmail. comwrote:
>
>
>

Hello.

>

There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.

>

Could you tell your opinion on that snippet?

>

<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name, manager.office,
manager.departm ent, manager.salary) )
curs.executeman y(sql, params)
</code>

>
Replace:
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name,
manager.office, manager.departm ent,
manager.salary) )
>
With this list comprehension:
>
params = [ (mgr.id, mgr.name, mgr.office,
mgr.department, mgr.salary)
for mgr in Manager.objects .all() ]
>
But the technique you are using, of creating a params list instead of
doing explicit string construction, IS the safe SQL-injection-
resistant way to do this.
>
-- Paul

Thanks a lot. I've been actually waiting for a list comprehension.

**Paul McGuire** · Feb 28 '08, 04:05 PM

Re: more pythonic

On Feb 28, 8:58 am, Temoto <temo...@gmail. comwrote:

On 28 ÆÅ×, 15:42, Paul McGuire <pt...@austin.r r.comwrote:
>
>
>
>
>

On Feb 28, 5:40 am, Temoto <temo...@gmail. comwrote:

>

Hello.

>

There is a Django application, i need to place all its data into
Access mdb file and send it to user.
It seems to me that params filling for statement could be expressed in
a more beautiful way.
Since i'm very new to Python, i don't feel that, though.

>

Could you tell your opinion on that snippet?

>

<code>
sql = """insert into salesmanager
(employeeid, name, officelocation, departmentname, salary)
values (?, ?, ?, ?, ?);"""
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name, manager.office,
manager.departm ent, manager.salary) )
curs.executeman y(sql, params)
</code>

>

Replace:
params = []
for manager in Manager.objects .all():
params.append( (manager.id, manager.name,
manager.office, manager.departm ent,
manager.salary) )

>

With this list comprehension:

>

params = [ (mgr.id, mgr.name, mgr.office,
mgr.department, mgr.salary)
for mgr in Manager.objects .all() ]

>

But the technique you are using, of creating a params list instead of
doing explicit string construction, IS the safe SQL-injection-
resistant way to do this.

>

-- Paul

>
Thanks a lot. I've been actually waiting for a list comprehension.- Hide quoted text -
>
- Show quoted text -

In general, whenever you have:

someNewList = []
for smthg in someSequence:
if condition(smthg ):
someNewList.app end( elementDerivedF rom(smthg) )

replace it with:

someNewList = [ elementDerivedF rom(smthg)
for smthg in someSequence
if condition(smthg ) ]

-- Paul

**Alan Isaac** · Mar 1 '08, 12:05 AM

Re: more pythonic

Paul McGuire wrote:

In general, whenever you have:

someNewList = []

for smthg in someSequence:

if condition(smthg ):

someNewList.app end( elementDerivedF rom(smthg) )

replace it with:

someNewList = [ elementDerivedF rom(smthg)

for smthg in someSequence

if condition(smthg ) ]

What is the gain? (Real question.)

I think the first is often easier to read.

Is the second more efficient?

Also, I think list comprehensions are often easier to read

as equivalent generator expressions:

someNewList = list( elementDerivedF rom(smthg)

for smthg in someSequence

if condition(smthg ) )

Tastes vary of course.

Cheers,

Alan Isaac

**Paul McGuire** · Mar 1 '08, 03:15 AM

Re: more pythonic

On Feb 29, 5:57 pm, Alan Isaac <ais...@america n.eduwrote:

Paul McGuire wrote:

In general, whenever you have:
someNewList = []
for smthg in someSequence:
if condition(smthg ):
someNewList.app end( elementDerivedF rom(smthg) )
replace it with:
someNewList = [ elementDerivedF rom(smthg)
for smthg in someSequence
if condition(smthg ) ]

>
What is the gain? (Real question.)
>
I think the first is often easier to read.
>
Is the second more efficient?
>
Also, I think list comprehensions are often easier to read
>
as equivalent generator expressions:
>
someNewList = list( elementDerivedF rom(smthg)
>
for smthg in someSequence
>
if condition(smthg ) )
>
Tastes vary of course.
>
Cheers,
>
Alan Isaac

I think there is a performance gain in list comps over explicit for
looping - I'm sure google will turn up some stats for this in this
newsgroup in the past.

As for list(<generator-expr>) over [<list-comprehnesion>], that's why
they make chocolate and vanilla. (I believe that at one time, Guido
was considering discarding list comps in Py3K, with this list
+generator expression alternative being the rationale for dropping
them, but later changed his mind.)

-- Paul

more pythonic

more pythonic

Comment

Comment

Comment

Comment

Comment

Comment

Comment