[Zope-DB] Using <dtml-var>s in ZSQL methods?
Charlie Clark
charlie at egenix.com
Mon Jun 18 10:30:14 EDT 2007
Am 18.06.2007, 16:03 Uhr, schrieb <JPenny at ykksnap-america.com>:
> There are no pros and cons. Only cons.
This is generally right, unless you use .execute(statement, (paras,)) on
the DA like you can with the mxODBC Zope DA. Although admittely this is
currently only available for ExternalMethods. Adding supporting for
.execute() in a DA is not hard. However, this should only be used
occasionally if it is important to generate your SQL and using something
like SQLalchemy isn't appropriate.
> There is a good argument to be made that ZSQL methods are entirely
> a bad idea -- that only prepared statements should be supported, as it
> is far harder to break security.
I don't think they are a bad idea in fact I find them very helpful but
they could be updated to use prepared statements with bound parameters
which require the driver to quote parameters. I've started work on a
simpleSQLTemplate which uses string.Template to support $placeholders
"SELECT id FROM table WHERE id = $value"
->
"SELECT id FROM table WHERE id = ?", (value,) # generate the SQL using the
appropriate paramstyle for the underlying DB driver.
Charlie
--
Charlie Clark
eGenix.com
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Zope-DB
mailing list