I noticed that most sources say that it is best to execute SQL queries in Python, something like this:
cursor.execute( 'select * from coworkers where name = :1 and clue > :2', [ name, clue_threshold ] )
Other sources say
cursor.execute( "select * from coworkers where name = %s and clue > %s", ( name, clue_threshold ) )
which, I think, is pretty similar.
In any case, the way I do it is to create a dictionary and save the values. For example, the initial biz_info dictionary looks like this:
biz_info = { 'business' : None, 'name' : None, 'neighborhood' : None, 'address' : None, 'city' : None, 'state' : None, 'zip_code' : None, 'latitude' : None, 'longitude' : None, 'phone' : None, 'url' : None, 'yelp_url' : None, }
then I execute an SQL statement like this
execute_sql( cur, "insert into " + TABLE_BIZ_NAME + """ values ( NULL, %(name)s, %(neighborhood)s, %(address)s, %(city)s, %(state)s, %(zip_code)s, %(latitude)s, %(longitude)s, %(phone)s, %(url)s, %(yelp_url)s, NULL )""" , biz_info )
Is it safe against sql injection? I want to use dictionaries to store information, because it simplifies management.
Honestly, I'm not even quite sure what the difference between using %s , %d and %()s means in parameterized queries. Basically, all I know is not to use
cursor.execute( "select * from coworkers where name = '%s' and clue > %d" % ( name, clue_threshold ) )