[Zope-DB] Passing a list to a ZSQL method?

Jim Penny jpenny at universal-fasteners.com
Fri May 21 15:19:28 EDT 2004 

On Fri, 21 May 2004 11:28:59 -0700 (PDT)
Bryce Harrington <bryce at osdl.org> wrote:

> 
> On Tue, 18 May 2004, Ian Bicking wrote:
> > On May 18, 2004, at 7:37 PM, Bryce Harrington wrote:
> > > I have a table to insert records with arbitrary numbers of columns
> > > into.  To achieve this, I'd like to pass the ZSQL method a list
> > > object and construct the SQL statement like...
> > >
> > > INSERT INTO my_table (
> > >        record_uid,
> > >     <dtml-in params>
> > >        param_<dtml-var sequence-item> <dtml-if expr="!
> > > sequence-end">,</dtml-if>
> >
> > That should be <dtml-if "not _['sequence-end']">
> 
> I've switched the code around to not need the condition, but it still
> won't work.  The SQL code is:
> 
> INSERT INTO test_request_to_test_parameter (
>     <dtml-in params>
>        param_1,
>     </dtml-in>
>        test_request_uid
>     ) VALUES (
>     <dtml-in params>
>        <dtml-var value>,
>     </dtml-in>
>        <dtml-sqlvar name="test_request_uid" type="int">
>     )

I am really really confused.  If request['value'] is 'foo',
this would expand to.

INSERT INTO test_request_to_test_parameter (
        param_1,
        param_2,
        param_3,
        param_4,
        test_request_uid
     ) VALUES (
        'foo',
        'foo'.
        'foo',
        'foo',
        last_id's value
     )

I don't see who this could possibly be what you want.  I suspect that
REQUEST does not have a key 'value', so that this is the exception.

Moreover, I suspect that this whole approach is open to SQL injection,
unless you know the types of each parameter.  Although, I have to admit
that this is so odd, that it _might_ be hard to take advantage of.  And
you are making an implicit assumption that each column has a numeric
type.

What are the row names in the table are you trying insert into?  What
values do you intend to insert?

Jim Penny

> I'm calling it from a DTML page:
> 
>  <dtml-try>
>   <dtml-let params="(1,2,3,4)">
>    <dtml-call
>    expr="method.sql_add_test_request_to_test_parameter(last_id,
>    params)">
>   </dtml-let>
>  <dtml-except>
>   Failure inserting into
>   sql_add_test_request_to_test_parameter(last_id, params)
>  </dtml-try>
> 
> It always throws the exception.  Any ideas on what I might be doing
> wrong here?
> 
> Bryce
> 
> 
> _______________________________________________
> Zope-DB mailing list
> Zope-DB at zope.org
> http://mail.zope.org/mailman/listinfo/zope-db
> 
>

More information about the Zope-DB mailing list