[Zope-DB] How can I dynamically generate a Z Search Interface?
Dieter Maurer
dieter@handshake.de
Mon, 9 Sep 2002 19:23:46 +0200
Jim Penny writes:
> Dieter Maurer writes:
> > This is true, when he calls the External Method with the generated
> > SQL. But, I expect that he will generate the SQL in the External
> > Method. Then, the input is innocious: a selections of fields
> > that should be output. They can easily be quoted or checked for
> > validity.
> >
>
> Well, not really. dtml-sqlquote will not work for input like:
>
> select first_name, last_name from foo where first_name in
> ('john', 'pete', 'dieter')
>
> (here assuming that string """('john', 'pete', 'dieter')""" is passed
> as single parameter. While the substrings can be sql_quoted individually
> during the string construction phase, they cannot be easily quoted in
> the ZSQL method or external method.)
The natural way would be to pass in a list of names and not a string.
As you say, the individual strings can easily be quoted (or checked).
> ...
> Ahh, but in the realm that Tena seems to want to operate in, it is.
> S/He has the idea, that appears to occur to every newbie (and I was no
> exception), that it is a real problem to define all those dozens of
> ZSQL methods that are used in a folder, and that life would be much
> better if only he could define a single efficient, secure, understanble,
> and completely general way of creating a dynamic ZSQL method that
> generates the body on the fly and therefor frees all the clutter.
Maybe ...
Dieter