<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>Hey
all,</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>i can appreciate not
wanting to leave wide-open sql calls,</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>but when it comes to
dynamic queries ...</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>we usually just need to
change the where clause.</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>That way you're restricting
the query to: "select * from x where "</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>so your database is not at
risk.</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial>ciao</FONT></SPAN></DIV>
<DIV><SPAN class=113154917-08102003><FONT face=Arial></FONT></SPAN> </DIV>
<DIV> </DIV>
<DIV>On Wed, Apr 09, 2003 at 01:10:25PM +0200, Fernando Martins
wrote:<BR>><I> Thanks for replying,<BR></I>><I> ><BR></I>><I> >
It is quite easy. But you really, really, really don't want to do
it.<BR></I>><I> ><BR></I>><I> > zsql method<BR></I>><I> >
variable_sql<BR></I>><I> > parameter<BR></I>><I> >
command<BR></I>><I> > body<BR></I>><I> > <dtml-var
command><BR></I>><I> ><BR></I>><I> <BR></I>><I> It took me a
while to understand what you mean with this list of items. So,<BR></I>><I>
for the record, the idea is to create a zsql method called variable_sql
with</DIV></I>><I> a parameter called command and a body having only
<dtml-var command>. The<BR></I>><I> zsql is called with a complete SQL
statement from wherever you want.<BR></I><BR>Yes, exactly.<BR><BR>><I>
<BR></I>><I> > Now, what is wrong with this?<BR></I>><I>
><BR></I>><I> > Well, you have no security, whatsoever. Anyone
who can access method<BR></I>><I> > variable_sql can do anything that they
want to our database. Even if<BR></I>><I> > you somehow limit access
to the method, you can't stop SQL injection.<BR></I>><I> > And you can't
debug the SQL, since you have no idea of what will be<BR></I>><I> >
executed.<BR></I>><I> ><BR></I>><I> <BR></I>><I> Well, in my case is
for an Intranet and it's essentially a prototype.<BR></I>><I> <BR></I>><I>
> Go to the trouble now. It will reduce your trouble
later.<BR></I>><I> ><BR></I><BR>I wrote a howto on doing this. This
is a common idea _many_ new users<BR>have. I now deeply wish that I had
not done so. This is very bad<BR>magic. It makes your life
unpleasant for an unforseeable time in the<BR>future. And when you are
prototyping is exactly the wrong time to do<BR>it! The problem is that you
then have an unauditable mess that can be<BR>fixed only by throwing everything
away.<BR><BR>I recommend that you do things in little steps. Start writing
your<BR>application in ZPT (or DTML) and pythonscripts. Every time you
need a<BR>SQL query, go off to the side, and write it. Test it from the
SQL test<BR>tab. That way you are reasonably confident that it works
before you put<BR>it in the ZPT. Put it in the ZPT. test
again. Flesh out the ZPT.<BR>Test again.<BR><BR>One of the most pleasant
parts of zope is the ease of continuous,<BR>informal, samll testing. Oh,
things will get past you, but if you test<BR>as you develop, a lot less gets
past you. I often test every time I<BR>create a new table row, or
paragraph, or whatever.<BR><BR>Jim Penny<BR>><I> <BR></I>><I>
Appreciated,<BR></I>><I> <BR></I>><I> Fernando<BR></I>><I>
<BR></I>><I> PS: thanks also to Michal.<BR></I>><I> <BR></I>><I>
<BR></I>><I> _______________________________________________<BR></I>><I>
Zope-DB mailing list<BR></I>><I> <A
href="mailto:Zope-DB@zope.org">Zope-DB@zope.org</A><BR></I>><I> <A
href="http://mail.zope.org/mailman/listinfo/zope-db">http://mail.zope.org/mailman/listinfo/zope-db</A><BR></I>><I>
<BR></I><BR><BR><BR><BR><BR><BR><BR>
<P><FONT face=Verdana color=#000080 size=1>Jason LeMonier</FONT> <BR><FONT
face=Verdana color=#000080 size=1>Software Engineer</FONT> <BR><FONT
face=Verdana color=#000080 size=1>Retail Technologies International</FONT>
<BR><FONT face=Verdana color=#000080 size=1>Office
916.605.7262</FONT> <BR><FONT face=Verdana color=#000080 size=1>Mobile
415.595.0969</FONT> <BR><FONT face=Verdana color=#000080
size=1>Fax 916-914-2132</FONT> <BR><FONT
face=Verdana color=#000080 size=1>jlemonier@RetailPro.com</FONT> </P><BR>
<DIV> </DIV></BODY></HTML>