[Zope-DB] dynamic SQL

Jason LeMonier jlemonier at Retailpro.com
Wed Oct 8 14:22:49 EDT 2003


Hey,

the simplest case where it was nice to have control
was when i needed:

select * from table
select * from table where type = 6
select * from table where id = 238

setting up type and id as required parameters takes away
being able to have no where clause at all.
(w/o even more labor in the zpt and now 3 separate SQL methods).

I figure if I'm going to allow "select * from table"
then I don't really care how any code builds a where clause!


-----Original Message-----
From: Charlie Clark [mailto:charlie at begeistert.org]
Sent: Wednesday, October 08, 2003 11:19 AM
To: Jason LeMonier; zope-db at zope.org
Subject: Re: [Zope-DB] dynamic SQL


Jason LeMonier wrote:

> Hey all,
>  
> i can appreciate not wanting to leave wide-open sql calls,
> but when it comes to dynamic queries ...
>  
> we usually just need to change the where clause.
> That way you're restricting the query to: "select * from x where "
> so your database is not at risk.

well you can still do this using parameters with some degree of security.

SELECT * from <dtml-var table> WHERE <dtml-var variable1> = <dtml-sqlvar 
  variable2 type="int">

This is okay for well-defined situations - where you have several tables 
with the same structure.

Likewise using <dtml-if> for additional conditions.

Of course, DTML is nothing like as easy to use for more complex 
situations than Python. It should become natural to know when you need 
to break things out into some PythonScripts with a collection of SQL 
methods.

Charlie




More information about the Zope-DB mailing list