Prev: Does pickled objects work fine between different OS?
Next: <python setup.py install_data> question
From: Kushal Kumaran on 26 May 2010 11:25
On Tue, 2010-05-25 at 14:45 -0400, Victor Subervi wrote:
> Hi;
> I have this code:
>
> clientCursor.execute('select ID from %s' % (personalDataTable))
> upds = [itm[0] for itm in clientCursor]
> print "<input type='hidden' name='upds' value='%s' />" % upds
>
> The problem is that the values passed are 1L, 2L.... When I retrieve
> them on the other end and try to convert them to integers, guess what
> happens? So how do I get rid of that "L"?

You could build a list of ints instead of a list of longs, like this:

upds = [int(itm[0]) for itm in clientCursor]

I'm not sure if the result of applying str() on lists is guaranteed not
to change, though.

--
regards,
kushal



From: John Nagle on 26 May 2010 15:43
Kushal Kumaran wrote:
> On Tue, 2010-05-25 at 14:45 -0400, Victor Subervi wrote:
>> Hi;
>> I have this code:
>>
>> clientCursor.execute('select ID from %s' % (personalDataTable))
>> upds = [itm[0] for itm in clientCursor]
>> print "<input type='hidden' name='upds' value='%s' />" % upds
>>
>> The problem is that the values passed are 1L, 2L.... When I retrieve
>> them on the other end and try to convert them to integers, guess what
>> happens? So how do I get rid of that "L"?

What's the table definition?

John Nagle
From: Alister on 26 May 2010 16:17
On Wed, 26 May 2010 12:43:29 -0700, John Nagle wrote:

> Kushal Kumaran wrote:
>> On Tue, 2010-05-25 at 14:45 -0400, Victor Subervi wrote:
>>> Hi;
>>> I have this code:
>>>
>>> clientCursor.execute('select ID from %s' % (personalDataTable))
>>> upds = [itm[0] for itm in clientCursor] print "<input
>>> type='hidden' name='upds' value='%s' />" % upds
>>>
>>> The problem is that the values passed are 1L, 2L.... When I retrieve
>>> them on the other end and try to convert them to integers, guess what
>>> happens? So how do I get rid of that "L"?
>
> What's the table definition?
>
> John Nagle

I think you should probably also write your execuete diferently:

>>> clientCursor.execute('select ID from %s' , (personalDataTable,))

this ensures the parameters are correctly escaped to prevent mysql
injection attacks,the "," after personalDataTable is necessary to ensure
the parameter is passed as a tupple

However I am fairly new so could be mistaken on exactly what your code
does.
--
If you analyse anything, you destroy it.
-- Arthur Miller
From: John Nagle on 26 May 2010 18:30
Alister wrote:
> I think you should probably also write your execute differently:
>
>>>> clientCursor.execute('select ID from %s' , (personalDataTable,))
>
> this ensures the parameters are correctly escaped to prevent mysql
> injection attacks,the "," after personalDataTable is necessary to ensure
> the parameter is passed as a tuple

Actually, no. The names of tables are not quoted in SQL.
One writes

SELECT ID FROM mytable;

not

SELECT ID FROM "mytable";

so you don't want to run table names through the quoting and escaping function.
If the table name is a variable, you need to be very careful about where it
comes from.

On the other hand, if you're specifying a data value, a field that's normally
quoted, as in

SELECT ID from mytable WHERE mykey="foo";

you write

cursor.execute("SELECT ID FROM mytable WHERE mykey=%s", (mykeyval,))

to get proper escaping. Don't put quote marks around the %s; MySQLdb does that.

Also, if you're selecting every entry in a database, without a
WHERE or ORDER BY clause, you will get the entries in more or less random
order.

John Nagle
From: Christian Heimes on 26 May 2010 18:24
> Actually, no. The names of tables are not quoted in SQL.
> One writes
>
> SELECT ID FROM mytable;
>
> not
>
> SELECT ID FROM "mytable";

nit picking mode:

Some RDBMS support case sensitive table names. You have to quote the
table name if you using the feature. Yeah I know, it's pretty bad idea
but it's possible.

Christian

 |  Next  |  Last
Pages: 1 2
Prev: Does pickled objects work fine between different OS?
Next: <python setup.py install_data> question