Re: Is passing a list as a bound variable safe from SQL injection?

On 02/10/2013 18:31, W. Matthew Wilson wrote:
[snip]
> This is the approach (and it does involve very long lists):
>
> http://www.datadoghq.com/2013/08/100x-faster-postgres-performance-by-changing-1-line/
>
> Instead of writing = any(array[1,2,3,4]), they wrote = any(values (1),
> (2), (3), (4), )
>
> and somehow that works more quickly.

Hi Matthew,

you can override the list adapter and have it generate the "values"
expression instead of an array. See this example:

http://www.psycopg.org/psycopg/docs/advanced.html?highlight=adapt#adapting-new-python-types-to-sql-syntax


Btw, I am a little curious, what kind of query requires an array of
~11000 values? Surely there is a better way to write it, isn't it?

federico

--
Federico Di Gregorio                         federico.digregorio@dndg.it
Di Nunzio & Di Gregorio srl                               http://dndg.it
 The only thing I see is if you are pumping so much data into the
  database all the time when do you expect to look at it?
                                                        -- Charlie Clark