[Zope-DB] How to import SQL in python script???

[Jim Penny]

On Wed, Feb 12, 2003 at 12:16:17PM -0500, eijgnit@netscape.net wrote:
> Dear all, 
> 
>  As a follow up to my earlier question on the above topic. Because the SQLStatement I need to query the database with depends on alot of variables (sometimes I even have to query another relation). I could use sqlgroup and sqltest to do the above.
> 
>  But here's another solution, create a ZSQLMethod with only one argument call say "sql", and in the contents just have "<dtml-var sql>". Effectively what this does is to query the database according to what the argument sql is (which of coz must be a valid sql statement). 
> 
> So instead of having tons of ZSQLMethod objects with alot of "hard coded" SQL statements, you could instead just use one generic ZSQLMethod that can accept any SQL statements. I think if u need to work with alot of tables and relations, a generic ZSQLMethod is pretty useful. It sure make things a lot easier for me. At least I get to see how my SQL statement is structured before sending it to the DBMS. Now I still need to figure out a easy way to join two relations from two databases. :(
> 
> 
> Regards,
> Tj
> 

Bad idea!  Unless you have only a completly trusted audience that never
makes mistakes.

You will be allowing anyone who can access your zope to do anything they
want to your database, including deleting tables, and, if you are
really unlucky, this could be caused by an honest mistake of dropping a
quote mark, or accidentally inserting a semi-colon.

The reason that ZSQL methods exist (and have special quoting
conventions) is to stop SQL injection.  Do not make your methods less
secure than they need to be!

Jim Penny