[Zope-DB] Using <dtml-var>s in ZSQL methods?

Charlie Clark charlie at egenix.com
Mon Jun 18 10:30:14 EDT 2007

Am 18.06.2007, 16:03 Uhr, schrieb <JPenny at ykksnap-america.com>:

> There are no pros and cons.  Only cons.

This is generally right, unless you use .execute(statement, (paras,)) on  
the DA like you can with the mxODBC Zope DA. Although admittely this is  
currently only available for ExternalMethods. Adding supporting for  
.execute() in a DA is not hard. However, this should only be used  
occasionally if it is important to generate your SQL and using something  
like SQLalchemy isn't appropriate.

> There is a good argument to be made that ZSQL methods are entirely
> a bad idea -- that only prepared statements should be supported, as it
> is far harder to break security.

I don't think they are a bad idea in fact I find them very helpful but  
they could be updated to use prepared statements with bound parameters  
which require the driver to quote parameters. I've started work on a  
simpleSQLTemplate which uses string.Template to support $placeholders

"SELECT id FROM table WHERE id = $value"
"SELECT id FROM table WHERE id = ?", (value,) # generate the SQL using the  
appropriate paramstyle for the underlying DB driver.

Charlie Clark

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::

     eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope-DB mailing list