[Zope-DB] Using <dtml-var>s in ZSQL methods?

Maciej Wisniowski maciej.wisniowski at coig.katowice.pl
Mon Jun 18 01:33:37 EDT 2007

> I tried to invoke the "query" method of my adapter (which is named
> "dhatabase") with this code:
> "
> p = context.REQUEST.get('delete_this')
> if p:
>     s = ', '.join([str(x) for x in p])
>     t = "delete from person where person_id in (%s);" % s
>     context.dhatabase.query(query_string=t)
> "
> ...and got this error: "AttributeError: query" (full traceback at end of
> message).  What's wrong with my method call?


Assuming that 'dhatabase' is your DatabaseConnection object.

> I also have a broader question:  When one is composing dynamic SQL in Python
> scripts, what are the pros and cons of executing them by going directly to
> the database adapter (as suggested above) vs passing it in as the sole
> argument of an "empty" ZSQL method?  By "empty" ZQL method I mean something
> like:
I think in this case there is no difference. Both ways may be harmful
unless you're sure that it is not possible to do sql injection.

Maciej Wisniowski

More information about the Zope-DB mailing list