[Zope-DB] How can I dynamically generate a Z Search Interface?
Dieter Maurer
dieter@handshake.de
Sat, 7 Sep 2002 20:25:39 +0200
Jim Penny writes:
> On Fri, Sep 06, 2002 at 08:33:00PM +0200, Dieter Maurer wrote:
> ...
> > Database adapters can be called to get a database connection.
> >
> > A database connection has a "query" method to send SQL commands to
> > its database.
> >
> > Going this route lets you leave the well documented path.
> > You will probably need to read sources and experiment...
>
> Moreover, you will lose some things and gain nothing.
I disagree...
> You gain nothing, because you will still have to worry about SQL
> Injection problems, that is, you will still have to properly quote
> arguments. Mostly this is easy, but if you use IN clauses in your
> queries, it can be a bit tricky.
This is true, when he calls the External Method with the generated
SQL. But, I expect that he will generate the SQL in the External
Method. Then, the input is innocious: a selections of fields
that should be output. They can easily be quoted or checked for
validity.
> More importantly, you lose two things. Fist, you will probably lose
> connection caching (or have to do it yourself). For many databases,
> this is a biggy, as this can take tenths of seconds.
No, we are still above this layer.
We use the same interface used by Z SQL Methods.
We just bypass Z SQL Methods.
> Second, you lose testability (and thus, most probably, reliability).
I agree, that Z SQL Methods allow for nice testing.
But, it is also not difficult to test the External Method.
Dieter