Hello, I am new to Zope and DTML. I am trying to use a python script to call a Z SQL method. The python script also has a list that <dtml-in inside the ZSQL method interates over. so my python script: -----python script words = ['one', 'two'] context.REQUEST.set('wordlist', wordlist) rs = context.myzsqlmethod() return rs[0,2] -----z sql script: SELECT * FROM table WHERE <dtml-in words> column1 LIKE ('<dtml-var "'%'+sequence-item+'%'">' OR column2 LIKE '<dtml-var "'%'+sequence-item+'%'">') <dtml-unless sequence-end> AND </dtml-unless> </dtml-in> --------------- But it doesn't want to, gives me.. Error Type: NameError Error Value: name 'wordlist' is not defined I tried feeding the variable into the ZSQL arguments list, but i got something like "cannot concatenate a module with a str" Can anyone please help me? Thank you! --------------------------------- Yahoo! Shopping Find Great Deals on Holiday Gifts at Yahoo! Shopping
Alric Aneron wrote:
Hello, I am new to Zope and DTML. I am trying to use a python script to call a Z SQL method. The python script also has a list that <dtml-in inside the ZSQL method interates over. so my python script: -----python script words = ['one', 'two'] context.REQUEST.set('wordlist', wordlist) rs = context.myzsqlmethod() return rs[0,2] -----z sql script: SELECT * FROM table WHERE <dtml-in words> column1 LIKE ('<dtml-var "'%'+sequence-item+'%'">' OR column2 LIKE '<dtml-var "'%'+sequence-item+'%'">') <dtml-unless sequence-end> AND </dtml-unless> </dtml-in> --------------- But it doesn't want to, gives me.. *Error Type: NameError* *Error Value: name 'wordlist' is not defined
*I tried feeding the variable into the ZSQL arguments list, but i got something like "cannot concatenate a module with a str" Can anyone please help me? Thank you!
It complains about 'wordlist' because it is not defined anywhere. Perhaps you mean 'words' in the second line? To pass a param to the ZSQL method, just say:: context.myzsqlmethod(words=words) This will put it in the namespace. --jcc -- "Building Websites with Plone" http://plonebook.packtpub.com/ Enfold Systems, LLC http://www.enfoldsystems.com
J Cameron Cooper schrieb:
Alric Aneron wrote:
Hello, I am new to Zope and DTML. I am trying to use a python script to call a Z SQL method. The python script also has a list that <dtml-in inside the ZSQL method interates over. so my python script: -----python script words = ['one', 'two'] context.REQUEST.set('wordlist', wordlist) rs = context.myzsqlmethod() return rs[0,2] -----z sql script: SELECT * FROM table WHERE <dtml-in words> column1 LIKE ('<dtml-var "'%'+sequence-item+'%'">' OR column2 LIKE '<dtml-var "'%'+sequence-item+'%'">') <dtml-unless sequence-end> AND </dtml-unless> </dtml-in>
And dont use <dtml-var > in ZSQL Methods. In your example, use <dtml-sqlvar sequence-item type=string> instead. Even if you hardcode the wordlist, but even more if its coming from request somewhere.
thanks you all!! This helped a lot! Tino Wildenhain <tino@wildenhain.de> wrote: J Cameron Cooper schrieb:
Alric Aneron wrote:
Hello, I am new to Zope and DTML. I am trying to use a python script to call a Z SQL method. The python script also has a list that
over. so my python script: -----python script words = ['one', 'two'] context.REQUEST.set('wordlist', wordlist) rs = context.myzsqlmethod() return rs[0,2] -----z sql script: SELECT * FROM table WHERE
column1 LIKE (' ' OR column2 LIKE ' ')
sequence-end> AND
And dont use in ZSQL Methods. In your example, use instead. Even if you hardcode the wordlist, but even more if its coming from request somewhere. --------------------------------- Yahoo! Photos Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.
I am trying to use a python script to call a Z SQL method. The python
You need to have defined "words" as parameter for ZSQL Metod. You have tried to call property wordlist which is not exit. Here are your ZSQL with safety (not functional) concern: <params> words:string </params> SELECT * FROM table WHERE <dtml-in words prefix="wrd"> ( column1 LIKE '%<dtml-var wrd_item sql_quote>%' OR column2 LIKE '%<dtml-var wrd_item sql_quote>%' ) <dtml-unless sequence-end> AND </dtml-unless> </dtml-in> And here are some functional tips for you: <dtml-sqltest> <dtml-sqlgroup>
-----z sql script: SELECT * FROM table WHERE <dtml-in words> column1 LIKE ('<dtml-var "'%'+sequence-item+'%'">' OR column2 LIKE '<dtml-var "'%'+sequence-item+'%'">') <dtml-unless sequence- end> AND </dtml-unless> </dtml-in>
Nice example for easy SQL injection!
participants (4)
-
Alric Aneron -
J Cameron Cooper -
Jaroslav Lukesh -
Tino Wildenhain