[Zope-DB] How can I dynamically generate a Z Search Interface?

Jim Penny jpenny@universal-fasteners.com
Fri, 6 Sep 2002 17:03:08 -0400

On Fri, Sep 06, 2002 at 08:33:00PM +0200, Dieter Maurer wrote:
> Tena Sakai writes:
>  > Many thanks for your response and advice.  It finally registered
>  > in my brains.  I can also see that it is dangerous to use Z SQL
>  > method in this fashion.  I am interested in pursuing a use of
>  > External Method.  Would you have any comments/advice for
>  > such?
> Database adapters can be called to get a database connection.
> A database connection has a "query" method to send SQL commands to
> its database.
> Going this route lets you leave the well documented path.
> You will probably need to read sources and experiment...

Moreover, you will lose some things and gain nothing.  

You gain nothing, because you will still have to worry about SQL 
Injection problems, that is, you will still have to properly quote 
arguments.  Mostly this is easy, but if you use IN clauses in your 
queries, it can be a bit tricky.  

More importantly, you lose two things.  Fist, you will probably lose
connection caching (or have to do it yourself).  For many databases,
this is a biggy, as this can take tenths of seconds.

Second, you lose testability (and thus, most probably, reliability).
That is, when you have a problematic query, you have to discover what
query was generated, which may or may not be easy, and then worry about
the code that generated it.  One of the nice things about ZSQL methods,
is that, absent complex sqlgroup clauses, they are very testable.  

It is better to define tens of SQL methods that can be easily audited
and that cannot cause SQL Injection, than it is to create a general
method that causes security problems.  Storage requirements are small!

Jim Penny

> Dieter
> _______________________________________________
> Zope-DB mailing list
> Zope-DB@zope.org
> http://lists.zope.org/mailman/listinfo/zope-db