[Zope-dev] DTML sqltest tag and python expr. Bug in Zope Book?

Yves-Eric Martin yemartin@yve.net
Thu, 28 Jun 2001 15:31:56 +0900 

Hello everyone,


I was recently working on a quite big ZSQL method (around 100 lines).
I was using only <dtml-if> and <dtml-sqlvar> tags and a lot of
"like '%...%'", so thought I could make things look much nicer using
<dtml-sqlgroup> and <dtml-sqltest ... op=3D"like" optional>. But I ran
into a big hurdle:

I quickly searched through the archive and found the thread=20
"[Zope-dev] ZSQL using LIKE operator", and in particular:
http://lists.zope.org/pipermail/zope-dev/2001-February/009339.html
which is exactly what I would like to do.

But unfortunately, <dtml-sqltest "..."> does not seem to work.
We get the following error:

  " The "..." shorthand for expr was used in a tag that doesn't
    support expr attributes., for tag <dtml-sqltest [...] "


I checked sqltest.py (Zope 2.3.2): no support for python expr in
there. Interestingly, the Zope Book mentions the use of python
expressions with sqltest in its DTML Reference:
http://www.zope.org/Members/michel/ZB/AppendixA.dtml
Is there a patched sqltest.py that I don't know about or is this a
bug in the book?


Anyway, does anyone know of a good reason why the sqlvar tag
supports python expr while sqltest does not? Some obscure security
hole? Or is the functionality just missing? And in that case,
is anyone up for a patch?


It's not critical, but the following kind of defeats the purpose
of sqlgroup:

    <dtml-sqlgroup where required>
      <dtml-if title>
        title like <dtml-sqlvar "'%%%s%%' % title" type=3D"string">
      </dtml-if>
    <dtml-and>
      <dtml-if author>
        title like <dtml-sqlvar "'%%%s%%' % author" type=3D"string">
      </dtml-if>
    </dtml-sqlgroup>


The following would be much nicer:

    <dtml-sqlgroup where required>
      <dtml-sqltest "'%%%s%%' % title" op=3D"like" type=3D"string" =
optional>
    <dtml-and>
      <dtml-sqltest "'%%%s%%' % author" op=3D"like" type=3D"string"
optional>
    </dtml-sqlgroup>


Note: in this particular case, I could preprocess the variables and add
the surrounding wildcards in the call to the ZSQL method. But that would
restrict the way this method can be called (URL traversal is
definitively
a cool feature to impress newbies ;) ), and that's not the point here
anyway: we would just like python expressions in sqltest tags.



Cheers,

--=20
Yves-Eric MARTIN
yemartin@yve.net