On 2005-04-27, Dennis Lee Bieber <[EMAIL PROTECTED]> wrote: > On Wed, 27 Apr 2005 08:44:36 +0200, Ola Natvig <[EMAIL PROTECTED]> > declaimed the following in comp.lang.python:
>> sql = "INSERT INTO %s (%s) VALUES (%s)" % (table, ','.params.keys()), >> ','.join(param.values())) > That also violates the DB-API recommendations that the > .execute() method should be used to do parameter substitution -- to > ensure proper quoting of odd data... I would think this would be OK: keys = params.keys() columnList = ", ".join(keys) valueList = ["%%(%s)s" % key for keys] sql = "INSERT INTO %s (%s) VALUES (%s)" % (table, columnList, valueList) cursor.execute(sql, params) Though you would probably want to go further and filter out keys that don't belong in the table, something like: keys = [key for key in tableColumns if key in params] Dave Cook -- http://mail.python.org/mailman/listinfo/python-list
