[Zope-DB] How can I dynamically generate a Z Search Interface?

Dieter Maurer dieter@handshake.de
Sat, 7 Sep 2002 20:25:39 +0200


Jim Penny writes:
 > On Fri, Sep 06, 2002 at 08:33:00PM +0200, Dieter Maurer wrote:
 > ...
 > > Database adapters can be called to get a database connection.
 > > 
 > > A database connection has a "query" method to send SQL commands to
 > > its database.
 > > 
 > > Going this route lets you leave the well documented path.
 > > You will probably need to read sources and experiment...
 > 
 > Moreover, you will lose some things and gain nothing.  
I disagree...

 > You gain nothing, because you will still have to worry about SQL 
 > Injection problems, that is, you will still have to properly quote 
 > arguments.  Mostly this is easy, but if you use IN clauses in your 
 > queries, it can be a bit tricky.  
This is true, when he calls the External Method with the generated
SQL. But, I expect that he will generate the SQL in the External
Method. Then, the input is innocious: a selections of fields
that should be output. They can easily be quoted or checked for
validity.

 > More importantly, you lose two things.  Fist, you will probably lose
 > connection caching (or have to do it yourself).  For many databases,
 > this is a biggy, as this can take tenths of seconds.
No, we are still above this layer.

   We use the same interface used by Z SQL Methods.
   We just bypass Z SQL Methods.

 > Second, you lose testability (and thus, most probably, reliability).
I agree, that Z SQL Methods allow for nice testing.

But, it is also not difficult to test the External Method.


Dieter