[Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods
charlie at egenix.com
Wed Feb 18 03:53:31 EST 2009
Am 18.02.2009, 00:58 Uhr, schrieb <JPenny at ykksnap-america.com>:
> Using external methods will be more work for the zope writer.
> I don't know enough to comment seriously on security issues,
> but I think that using procedures, like using bind variables, will
> make SQL Injection much harder.
The mxODBC Zope DA makes the execute() method available to connection object instances which allows for parameter binding and the next release will make this available for PythonScripts. Rather than use ExternalMethods, however, I'd suggest that you use Views instead which make tying everything together a lot easier.
Regarding performance: the comparisons we did a few years ago suggested that parameter binding is around 40% faster for non-cached access from Zope as Zope does quite a lot of work to turn ZSQL methods into usable queries. If the caching works for you then you will have pretty good performance because Zope will only actually run the query for something that isn't in the cache. Stored procedures can offer a performance improvement if you plan to manipulate the data in any way, ie. if you want to get data out of several views and do something with it before you pass it to the browser. But most importantly - in the Zope world the RDBMS is unlikely ever to be your bottleneck.
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Zope-DB