[Zope-DB] dynamic SQL
Charlie Clark
charlie at begeistert.org
Wed Oct 8 14:19:15 EDT 2003
Jason LeMonier wrote:
> Hey all,
>
> i can appreciate not wanting to leave wide-open sql calls,
> but when it comes to dynamic queries ...
>
> we usually just need to change the where clause.
> That way you're restricting the query to: "select * from x where "
> so your database is not at risk.
well you can still do this using parameters with some degree of security.
SELECT * from <dtml-var table> WHERE <dtml-var variable1> = <dtml-sqlvar
variable2 type="int">
This is okay for well-defined situations - where you have several tables
with the same structure.
Likewise using <dtml-if> for additional conditions.
Of course, DTML is nothing like as easy to use for more complex
situations than Python. It should become natural to know when you need
to break things out into some PythonScripts with a collection of SQL
methods.
Charlie
More information about the Zope-DB
mailing list