something that I tore my hair out over when building my website (gibsonandlily.com) was how to handle input santizing for mysql.
I wrote some functions for it in python (and I'm sure that they don't work very well. Yes, I'm sure some of you could destroy my website...it is a hobby, please don't).
I later found out (and I'm in the process of replacing code) that you can have mysqldb handle it for you like this:
cursor.execute("insert into links(url,description) values(%s,%s)", (url,desciption))
where url and description (the second ones) are variable holding the values you want to insert.
this was different than the way that I was doing it before, which was:
insert_query = "insert into links(url,description) values('%s','%s')" % (url,description)
cursor.execute(insert_query)
I'm sure this sounds completely stupid to some of you who make your living writing web apps...but I thought it was really cool :).
mysqldb has a bunch of Python->MySQL conversions. If you look at the source you can read converters.py -- it can convert lists, strings, numbers, dates and a lot of other types too.
I probably should have mentioned that in the article, truth is it really depends on your set up, most of the mysql databases I have used are not set up for transactions.
MySQL is set to autocommit by default (you can check with "select @@autocommit", there are probably some other ways to check as well), then it comes to which engine you use, many of them don't support transactions, but some like InnoDB do. So it really all depends.
MySQL may be autocommit by default, but I believe the Python DB-API spec (and therefore mysqldb) specifies to turn autocommit off when the connection is opened.
* You can easily change database engines without rewriting all your queries
* SQLAlchemy has built-in protection from SQL injection attacks.
* You can define your database tables and relations once (in SQLAlchemy) and it will create the database for you if it doesn't already exist.