[Zope] Cannot pass parameters to Externa Method From inside a DTML Method

Tino Wildenhain tino at wildenhain.de
Thu Aug 4 06:58:13 EDT 2005


Am Donnerstag, den 04.08.2005, 11:31 +0100 schrieb Thomas Apostolou:
> I have in my "Extensions" folder the file
> "TestODBCEM.py" witch contains the following code to
> select and return 40 rows by 8 columns of a query:
> 
> 
> def TestODBCEM(self, sysDSN="defDSN", usr="defUsr",
> mypass="defPass", sSQL="SELECT * FROM defTable",
> xx=40, yy=8):
>    id = self.id
>    import dbi
>    import odbc
>    connection=odbc.odbc(sysDSN+'/'+usr+'/'+mypass)
>    cur=connection.cursor()
>    cur.execute(sSQL)
>    data=cur.fetchall()
>    a=""
>    for x in range(0,int(xx)):
>       for y in range(0,int(yy)):
>          if data[x][y]=="":
>             a=a+"Null"+"---"
>          else:
>             a=a+str(data[x][y])+" --- "
>       a=a+"\n"
>    return data


This is not a good idea anyway.
1) it lets every user knowing the external method
   connect to every database on your host (depending 
   on credentials if any)

2) even worser it enables the user to issue any
   raw SQL string to the database, including but not
   limited to DROP table; DROP database; etc.

3) by not using ZOPEs infrastructure (read: Z(yourdb)DA,
   ZSQL-Methods), you have the expensive connect operation
   every time, loose the ability to easily work with zopes
   transactions, have to quote and unquote values and so on.

So get a ZODBCDa or something like that and use it.
> 
> 
> I have used it and created an External Method in my
> Zope name "TestODBCEM"
> 
> 
> 
> next i created a DTML Method named
> "GetQueryParamsDTML" with the following :
> 
> <html>
> <head>
> </head>
>   I will connect using : "<dtml-var id>" System DSN
>   Type the query to execute...
>   <form name="Params" action="./TestODBCEM"
> method="POST">
>         <input type="hidden" name="sysDSN:string"
> value=<dtml-var id>>
>         The SQL Query to be executed against the above
> DSN connection
>         	<input name="sSQL:string"><br>
>          <input type="hidden" name="mypass:string"
> value=<dtml-var passWD>><br>
>          <input type="hidden" name="usr:string"
> value=<dtml-var usrID>><br>
> 	<input type="submit" value=" Execute "><br>
>    </form>
> </html>
> 
> 
> and everything is ok as it returns something like this
> :
> [(1, 1054, 1001, '\xc1\xd0\xcf\xd3\xc2', 1001, 101,
> '\xc1\xd0\xcf\xd3\xc2\xc5\xd3\xc5\xc9\xd3
> \xd7\xd1\xc7\xd3\xc7\xd3', None, 1, None, None, None,
> None, None, 1, 1, 0, None, None, None, None, None,
> 1054, 1054, 1, 0, 0, 0, None, None, None, 0, None,
> None, None, 0, None, None, None, 0, 0, 0, None, None,
> None, 0, 0), (1, 1054, 9001, '\xc1\xd0\xcf\xd.....
> 
> Now i want to format the results to show them
> so i change my "GetQueryParamsDTML" as follows:
> 
> <html>
> <head>
> </head>
>   I will connect using : "<dtml-var id>" System DSN
>   Type the query to execute...
>   <form name="Params" action="./ShowResults"
> method="POST">
>         <input type="hidden" name="sysDSN:string"
> value=<dtml-var id>>
>         The SQL Query to be executed against the above
> DSN connection
>         	<input name="sSQL:string"><br>
>          <input type="hidden" name="mypass:string"
> value=<dtml-var passWD>><br>
>          <input type="hidden" name="usr:string"
> value=<dtml-var usrID>><br>
> 	<input type="submit" value=" Execute "><br>
>    </form>
> </html>     
> 
> Now it calls another DTML Method named "ShowResults"
> witch reads like this:
> 
> <dtml-var standard_html_header>
> <table border="1">
> <dtml-in TestODBCEM>

here you would write:

<dtml-in expr="TestODBCEM(sysDSN=sysDSN, ...)">

because your external Method does not magically 
read the REQUEST object. (You could do that there
by using self.REQUEST.get('sysDSN','default') )


>   <dtml-if sequence-even>
>     <tr bgcolor="lightgreen">
>   <dtml-else>
>     <tr>
>   </dtml-if>
>   <dtml-in sequence-item>
>     <td><dtml-var sequence-item></td>
>   </dtml-in>
>   </tr>    
> </dtml-in>
> <dtml-var standard_html_footer>
> 
> 
> The problem know is that, althought the params of the
> GetQueryParamsDTML is passed to ShowResults through
> the REQUEST, the TestODBCEM does not use them. Instead
> the code is always using the defValues of its def
> line.
> When i was calling ./TestODBC from GetQueryParamsDTML 
> it was using the parameters i was submiting.
> 
> I tried to change the follong line of ShowResults :
> <dtml-in TestODBCEM>
> to:
> <dtml-in expr="TestODBCEM('<dtml-var sysDSN>',
> '<dtml-var usr>', '<dtml-var mypass>', '<dtml-var
> sSQL>')">
> 
> but this one gives me an AttributeError ('str' object
> has no attribute 'id').
> 
> 
> 
> Does anyone know what am i doing wrong?
> I would apreciate it if you could help me.

See also:

http://www.plope.com/Books/2_7Edition/RelationalDatabases.stx



-- 
Tino Wildenhain <tino at wildenhain.de>



More information about the Zope mailing list