I agree. However, this is true of all DTML. I mean, its just as true in DTML methods that might REQUEST.set the args to the ZSQLMethod. ie. they could be tricked into REQUEST.set(ing) a false total etc. because they lookup all of their variables in the namespace. Cheers, Tim Paul Zwarts wrote:
Hi Tim,
Just to play devil's advocate; It seems this way, that methods pulling non-specifically from namespace could allow ways to modify the result if someone paid close attention to whats going on... i.e The total price of your shopping cart before its sent to the transaction broker. It requires the programmer to keep even more close care that all variables generated at runtime are first cleaned and wiped so that this same REQUEST couldn't just be anticipated by someone who's interested.
Or can you suggest a way around this?
Thanks, Paul Zwarts
-----Original Message----- From: zope-dev-admin@zope.org [mailto:zope-dev-admin@zope.org] On Behalf Of Tim McLaughlin Sent: Thursday, October 11, 2001 1:30 PM To: zope-dev@zope.org Cc: Micah Martin Subject: [Zope-dev] ZSQL methods lookup vars in REQUEST only (why?)
I've been asked too many times now by developers what is wrong when they call ZSQL Methods without passing parameters because their parameters are in the namespace. This seems to make sense to all new Zopers (and some older ones like myself) because all other DTML lookups are in the entire namespace.
Anyway, I propose that ZSQLMethods change and do variable lookups in the entire namespace, not just the REQUEST object. It seems to be a simple enough change (at least it looks it) and I can submit the patches, but the harder thing is to get people to agree that it is a change for the better.
The only argument that I have heard against it is that variables will be found mysteriously through the stack and that this is harder to understand. However, that just makes it inconsistent with all other DTML and therefore mysterious in its own way.
Consistency is much better for learning and for remembering, and DTML in ZSQL should work the same as DTML in DTML Methods, etc. Please consider this and abuse me as appropriate ;)
Regards, Tim -- Tim McLaughlin iterationZERO - www.iterationzero.com 703.481.2233
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Tim McLaughlin iterationZERO - www.iterationzero.com 703.481.2233