[Zope-DB] Using <dtml-var>s in ZSQL methods?
Maciej Wisniowski
maciej.wisniowski at coig.katowice.pl
Mon Jun 18 01:33:37 EDT 2007
> I tried to invoke the "query" method of my adapter (which is named
> "dhatabase") with this code:
>
> "
> p = context.REQUEST.get('delete_this')
> if p:
> s = ', '.join([str(x) for x in p])
> t = "delete from person where person_id in (%s);" % s
> context.dhatabase.query(query_string=t)
> "
>
> ...and got this error: "AttributeError: query" (full traceback at end of
> message). What's wrong with my method call?
>
Try:
context.dhatabase().query(query_string=t)
Assuming that 'dhatabase' is your DatabaseConnection object.
> I also have a broader question: When one is composing dynamic SQL in Python
> scripts, what are the pros and cons of executing them by going directly to
> the database adapter (as suggested above) vs passing it in as the sole
> argument of an "empty" ZSQL method? By "empty" ZQL method I mean something
> like:
I think in this case there is no difference. Both ways may be harmful
unless you're sure that it is not possible to do sql injection.
--
Maciej Wisniowski
More information about the Zope-DB
mailing list