[Zope-DB] How can I dynamically generate a Z Search Interface?

Dieter Maurer dieter@handshake.de
Mon, 9 Sep 2002 19:23:46 +0200


Jim Penny writes:
 > Dieter Maurer writes:
 > > This is true, when he calls the External Method with the generated
 > > SQL. But, I expect that he will generate the SQL in the External
 > > Method. Then, the input is innocious: a selections of fields
 > > that should be output. They can easily be quoted or checked for
 > > validity.
 > > 
 > 
 > Well, not really.  dtml-sqlquote will not work for input like:
 > 
 > select first_name, last_name from foo where first_name in 
 >   ('john', 'pete', 'dieter')
 > 
 > (here assuming that string """('john', 'pete', 'dieter')""" is passed
 > as single parameter.  While the substrings can be sql_quoted individually 
 > during the string construction phase, they cannot be easily quoted in 
 > the ZSQL method or external method.)
The natural way would be to pass in a list of names and not a string.
As you say, the individual strings can easily be quoted (or checked).

 > ...
 > Ahh, but in the realm that Tena seems to want to operate in, it is.
 > S/He has the idea, that appears to occur to every newbie (and I was no
 > exception), that it is a real problem to define all those dozens of 
 > ZSQL methods that are used in a folder, and that life would be much 
 > better if only he could define a single efficient, secure, understanble, 
 > and completely general way of creating a dynamic ZSQL method that 
 > generates the body on the fly and therefor frees all the clutter.
Maybe ...


Dieter