Lawrence D'Oliveiro <l...@geek-central.gen.new_zealand> wrote:
> In message <gt3fv1$1ac...@news.ett.com.ua>, Paul Hemans wrote:
>
>> One problem though that I didn't mention in my original
>> posting was that the replication may only require updating one or
>> more fields, that is a problem with a generating a single SQL
>> statement to cover all requests.
>
> That's not a big issue. Assume the field names and corresponding
> values are coming from a Python dict, eg
>
> FieldValues = \
> {
> "field1" : ... value1 ...;
> "field2" : ... value2 ...;
> }
>
> then you can construct an SQL statement on the fly with something like
>
> sqlcmd = \
> (
> "insert into my_table set "
> +
> ", ".join
> (
> "%s = %s" % (k, SQLString(FieldValues[k]))
> for k in FieldValues.keys()
> )
> )
>
> where SQLString is as defined at
><http://codecodex.com/wiki/index.php?
title=Useful_MySQL_Routines#Quoting
>>.
>
>
Not so nice if the input data is something like:
FieldValues = { "field1=0);DROP my_table;": "" }
So you want something to validate fieldnames.
Also you are assuming that all the values are strings: if you want to
handle different data types correctly it is probably simpler to insert
parameter placeholders in the dynamic sql statement and just pass
FieldValues.items() to the execute method.
--
Duncan Booth http://kupuguy.blogspot.com
--
http://mail.python.org/mailman/listinfo/python-list
