Whenever I'm using SQL databases in zope, I always seem to have to make a ZSQL instance for inserting into every table in my database, and they are all nearly the same - they just have a list of all the fields in the database in the parameters, then they say: insert into [table] ([list of fields]) values ([list of <dtml-sqlvar>s]) I'd much rather have a dictionary of fields and values, and just throw it at the DB, not having to make those queries for every table. I have acheived it like so: mydict = {"field1":"value1" , "field2":"value2" ,...} (fields,values)=zip(*myDict.items()) context.genericInsert(table='table name',fields=fields,values=values) Where generic insert is the following ZSQL method: insert into "<dtml-var table>" (<dtml-in expr="fields">"<dtml-var sequence-item>"<dtml-if sequence-end><dtml-else>,</dtml-if></dtml-in>) values (<dtml-in expr="values"><dtml-sqlvar sequence-item type=string><dtml-if sequence-end><dtml-else>,</dtml-if></dtml-in>); with parameters: * table - table name * fields - list of fieldnames * values - list of values in the same order What do other people think of this? Is it a really bad idea? Robert Munro
Great idea. Not to be recommended in general. This works because every field is textual, and you are sql-quoting by using type=string. Here are the problems: 1) if someone reads this and does not use the type=string tag, or equivalent, they will be wide open to sql injection. 2) OR, they can pass a list of type with each variable. 3) If you have to handle casts, then you will have to pass a list of cast-types, as well. So, you have essentially moved the problem from making at least one insertion call per table to a single insertion method that requires the creation of two, three, or four lists. This does not self-evidently require less work. You can no longer inspect the method to see if it is correct. You have to look to each call-point to determine what is actually being used. Just as bad, your application goes happily on its way if you are missing (non-key) variables. Keep zsql methods a simple as possible. Use as few tricks as possible. Your goal is self-evident correctness, not the minimization of typing. jim penny zope-bounces@zope.org wrote on 04/13/2006 02:23:22 PM:
Whenever I'm using SQL databases in zope, I always seem to have to make a ZSQL instance for inserting into every table in my database, and they are all nearly the same - they just have a list of all the fields in the database in the parameters, then they say:
insert into [table] ([list of fields]) values ([list of <dtml-sqlvar>s])
I'd much rather have a dictionary of fields and values, and just throw it at the DB, not having to make those queries for every table. I have acheived it like so:
mydict = {"field1":"value1" , "field2":"value2" ,...} (fields,values)=zip(*myDict.items()) context.genericInsert(table='table name',fields=fields,values=values)
Where generic insert is the following ZSQL method: insert into "<dtml-var table>" (<dtml-in expr="fields">"<dtml-var sequence-item>"<dtml-if sequence-end><dtml-else>,</dtml-if></dtml-in>) values (<dtml-in expr="values"><dtml-sqlvar sequence-item type=string><dtml-if sequence-end><dtml-else>,</dtml-if></dtml-in>);
with parameters: * table - table name * fields - list of fieldnames * values - list of values in the same order
What do other people think of this? Is it a really bad idea?
Robert Munro _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Robert (Jamie) Munro wrote:
Whenever I'm using SQL databases in zope, I always seem to have to make a ZSQL instance for inserting into every table in my database, and they are all nearly the same - they just have a list of all the fields in the database in the parameters, then they say:
insert into [table] ([list of fields]) values ([list of <dtml-sqlvar>s])
You're probably better off looking into an ORM like SQLAlchemy... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
I agree. I am just starting to work with zalchemy in Zope3 and looking to try and make it work with Five so I have it for Zope2. Regards, David Chris Withers wrote:
Robert (Jamie) Munro wrote:
Whenever I'm using SQL databases in zope, I always seem to have to make a ZSQL instance for inserting into every table in my database, and they are all nearly the same - they just have a list of all the fields in the database in the parameters, then they say:
insert into [table] ([list of fields]) values ([list of <dtml-sqlvar>s])
You're probably better off looking into an ORM like SQLAlchemy...
Chris
participants (4)
-
Chris Withers -
David Pratt -
jpenny@ykksnap-america.com -
Robert (Jamie) Munro