Automagically expanding a Python list with formatted output
try:
",".join( map(str, record_ids) )
",".join( list_of_strings )
joins a list of string by separating them with commas
if you have a list of numbers, map( str, list )
will convert it to a list of strings
I do stuff like this (to ensure I'm using bindings):
sqlStmt=("UPDATE apps.sometable SET lastmod=SYSDATE() where rec_id in (%s)"
% ', '.join(['?' for n in record_ids]))
mysql_cursor.execute(sqlStmt, record_ids)
mysql.commit()
This works for all dynamic lists you want to bind without leaving you susceptible to SQL injection attacks.
Further to the given answers, note that you may want to special case the empty list case as "where rec_id in ()
" is not valid SQL, so you'll get an error.
Also be very careful of building SQL manually like this, rather than just using automatically escaped parameters. For a list of integers, it'll work, but if you're dealing with strings received from user input, you open up a huge SQL injection vulnerability by doing this.