[Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method

Alexander Staubo alex@mop.no
Mon, 21 Jun 1999 04:13:41 +0200


If I understand your problem correctly, you'd like to pass form
variables to the SQL Method? If so, here's one way of doing it:

  <!--#call "Test_sql(REQUEST)"-->

This will essentially make REQUEST part of the namespace accessible to
Test_sql. Note that this would lead to problems if your SQL Method
refers to variables that should not be overrideable by REQUEST, such as
security-related "where" conditions.

To avoid such cases, pass all pertinent variables explicitly, like so:

  <!--#call "Test_sql(name = REQUEST.name, salary = salaryfilter)"-->

This prevents malicious users from requesting URLs like
http://www.foo.com/ViewEmployees?name=myname&salary=40000 (assuming you
want to block this, of course).

Does this answer your question?

--
Alexander Staubo             http://www.mop.no/~alex/
"It has taken the planet Earth 4.5 billion years to discover it is
4.5 billion years old." --George Wald

>-----Original Message-----
>From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
>Rafael Alvarado
>Sent: 21. juni 1999 04:01
>To: zope@zope.org
>Subject: [Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method
>
>
>I have a Z SQL Method that takes an argument.  It was
>constructed with the
>"Add" --> "Z SQL Method" form.  The method works fine when the
>argument is
>provided by the automatically built search interface when testing it.
>
>Now, how do I have the argument value supplied by a DTML page
>that passes
>the value directly as a REQUEST.form object?
>
>It seems that this should be a very simply problem, yet I have
>search all
>available documents for an answer without success.  Thanks to
>anyone who can
>help
>
>Rafael C. Alvarado, Coordinator of Humanities and Social
>Sciences Computing
>McGraw Center for Teaching and Learning, Princeton University
>C-15-E Firestone Library, alvarado@princeton.edu
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://www.zope.org/mailman/listinfo/zope
>
>(For developer-specific issues, use the companion list,
>zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>