[Zope-dev] ZSQL methods lookup vars in REQUEST only (why?)

Tim McLaughlin tim@iterationzero.com
Thu, 11 Oct 2001 07:48:05 -0400 

I agree.  However, this is true of all DTML.

I mean, its just as true in DTML methods that might REQUEST.set the args
to the ZSQLMethod.  ie. they could be tricked into REQUEST.set(ing) a
false total etc. because they lookup all of their variables in the
namespace.

Cheers,
Tim

Paul Zwarts wrote:
> 
> Hi Tim,
> 
> Just to play devil's advocate; It seems this way, that methods pulling
> non-specifically from namespace could allow ways to modify the result if
> someone paid close attention to whats going on... i.e The total price of
> your shopping cart before its sent to the transaction broker. It
> requires the programmer to keep even more close care that all variables
> generated at runtime are first cleaned and wiped so that this same
> REQUEST couldn't just be anticipated by someone who's interested.
> 
> Or can you suggest a way around this?
> 
> Thanks,
> Paul Zwarts
> 
> -----Original Message-----
> From: zope-dev-admin@zope.org [mailto:zope-dev-admin@zope.org] On Behalf
> Of Tim McLaughlin
> Sent: Thursday, October 11, 2001 1:30 PM
> To: zope-dev@zope.org
> Cc: Micah Martin
> Subject: [Zope-dev] ZSQL methods lookup vars in REQUEST only (why?)
> 
> I've been asked too many times now by developers what is wrong when they
> call ZSQL Methods without passing parameters because their parameters
> are in the namespace.  This seems to make sense to all new Zopers (and
> some older ones like myself) because all other DTML lookups are in the
> entire namespace.
> 
> Anyway, I propose that ZSQLMethods change and do variable lookups in the
> entire namespace, not just the REQUEST object.  It seems to be a simple
> enough change (at least it looks it) and I can submit the patches, but
> the harder thing is to get people to agree that it is a change for the
> better.
> 
> The only argument that I have heard against it is that variables will be
> found mysteriously through the stack and that this is harder to
> understand.  However, that just makes it inconsistent with all other
> DTML and therefore mysterious in its own way.
> 
> Consistency is much better for learning and for remembering, and DTML in
> ZSQL should work the same as DTML in DTML Methods, etc.  Please consider
> this and abuse me as appropriate ;)
> 
> Regards,
> Tim
> --
> Tim McLaughlin
> iterationZERO - www.iterationzero.com
> 703.481.2233
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )

-- 
Tim McLaughlin
iterationZERO - www.iterationzero.com
703.481.2233