[Zope-DB] Passing a list to a ZSQL method?
jpenny at universal-fasteners.com
Fri May 21 15:19:28 EDT 2004
On Fri, 21 May 2004 11:28:59 -0700 (PDT)
Bryce Harrington <bryce at osdl.org> wrote:
> On Tue, 18 May 2004, Ian Bicking wrote:
> > On May 18, 2004, at 7:37 PM, Bryce Harrington wrote:
> > > I have a table to insert records with arbitrary numbers of columns
> > > into. To achieve this, I'd like to pass the ZSQL method a list
> > > object and construct the SQL statement like...
> > >
> > > INSERT INTO my_table (
> > > record_uid,
> > > <dtml-in params>
> > > param_<dtml-var sequence-item> <dtml-if expr="!
> > > sequence-end">,</dtml-if>
> > That should be <dtml-if "not _['sequence-end']">
> I've switched the code around to not need the condition, but it still
> won't work. The SQL code is:
> INSERT INTO test_request_to_test_parameter (
> <dtml-in params>
> ) VALUES (
> <dtml-in params>
> <dtml-var value>,
> <dtml-sqlvar name="test_request_uid" type="int">
I am really really confused. If request['value'] is 'foo',
this would expand to.
INSERT INTO test_request_to_test_parameter (
) VALUES (
I don't see who this could possibly be what you want. I suspect that
REQUEST does not have a key 'value', so that this is the exception.
Moreover, I suspect that this whole approach is open to SQL injection,
unless you know the types of each parameter. Although, I have to admit
that this is so odd, that it _might_ be hard to take advantage of. And
you are making an implicit assumption that each column has a numeric
What are the row names in the table are you trying insert into? What
values do you intend to insert?
> I'm calling it from a DTML page:
> <dtml-let params="(1,2,3,4)">
> Failure inserting into
> sql_add_test_request_to_test_parameter(last_id, params)
> It always throws the exception. Any ideas on what I might be doing
> wrong here?
> Zope-DB mailing list
> Zope-DB at zope.org
More information about the Zope-DB