[Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods

Charlie Clark charlie at egenix.com
Wed Feb 18 03:53:31 EST 2009

Am 18.02.2009, 00:58 Uhr, schrieb <JPenny at ykksnap-america.com>:

> Using external methods will be more work for the zope writer.
> I don't know enough to comment seriously on security issues,
> but I think that using procedures, like using bind variables, will
> make  SQL Injection much harder.

The mxODBC Zope DA makes the execute() method available to connection object instances which allows for parameter binding and the next release will make this available for PythonScripts. Rather than use ExternalMethods, however, I'd suggest that you use Views instead which make tying everything together a lot easier.

Regarding performance: the comparisons we did a few years ago suggested that parameter binding is around 40% faster for non-cached access from Zope as Zope does quite a lot of work to turn ZSQL methods into usable queries. If the caching works for you then you will have pretty good performance because Zope will only actually run the query for something that isn't in the cache. Stored procedures can offer a performance improvement if you plan to manipulate the data in any way, ie. if you want to get data out of several views and do something with it before you pass it to the browser. But most importantly - in the Zope world the RDBMS is unlikely ever to be your bottleneck.

Charlie Clark

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope-DB mailing list