Something I'm just curious about...
where <!--#sqltest name column=column_name type=column_type-->
VS.
where column_name = <!--#var name-->
Is the only advantage of using the first (sqltest) the type checking? I can't find any other obvious advantages.
I haven't played with it too much but I think that Zope handles undefined variables properly if you do the sqltest.
ie.
where <!--#sqltest name column=column_name type=column_type--> and <!--#sqltest name2 column=column_name2 type=column_type-->
will work if name2 is not defined.
It also handles the quoting and SQL syntax (such as doubling single quotes).
Absolutely... we ran into some situations where the SQL was so dynamic potential security problems arose. sqltest and sqlvar are designed to reduce that exposure. Additionally, we've found a very common rhythm where a search UI might expose all of a large percentage of the available data elements in the RDBMS. Using sqltest lets the user not specify one or more parameters without a lot of messy <!--#if --><!--#/if --> stuff in the SQL Method. --Rob