[hans]
well, i could instantiate a bunch of zsql methods, each with its own query and then call them from my products methods. but how could i obviate the need to have these zsql methods and query directly? Or is it just not worth it? thx hans
Well, the extreme and simplest case is to have one zsql method that takes a single parameter called, say, "sql": &dtml-sql; The sql parameter would contain the entire query, that is, an entire select statement or insert statement or whatever. This is easy and flexible, but has no security at all. If someone posted you a DELETE statement, you might end up very unhappy, for example. Still it is an easy approach to use when you are tuning up a query, as long as you don't let it loose outside your system. The next level up from this is to have your page, or a method called by the page, construct a query statement using values from a form, then hand the query to your friendly general zsql method. This is quite a bit more more secure, but you still need to make sure it's going to be safe. A next step up in security is to make sure that any query that can be constructed and passed to the zsql method can only access non-updateable views. There's a tradeoff between having highly specialized zsql methods, which could be the most secure but can lead to you having to maintain many individual methods, and the completely general approach I've outlined above where you only need one method but have to manage the security issues. Cheers, Tom P