[Zope] (no subject)

Jay, Dylan djay@lucent.com
Fri, 16 Apr 1999 11:33:17 +1000 

> -----Original Message-----
> From: Rob Page [mailto:rob.page@digicool.com]
> Sent: Friday, 16 April 1999 07:51
> To: 'Jay, Dylan'
> Cc: 'zope@zope.org'
> Subject: RE: [Zope] (no subject)
> 
> 
> Jay:
> 
> >  I am trying to update my database using url traversal. I'm 
> >  pretty sure I
> >  need to give proxy permission in order to do update the 
> >  database however
> >  there seems no way to do this. eg
> >  
> >  I am using a url like this
> >  http://provision.auslabs.lucent.com/cgi-bin/provision.exe/Dow
> >  nload/qryComple
> >  teReg/MagicNumber/60330800/completeReg
> 
> The example you included below has a heterogeneous mix of SQL
> statements... some pass-through (e.g., UPDATE) which return no values
> and SELECTs which do.  I'm not sure if it's a bug or not but I'm under
> the impression that you ought not mix SQL like this.

No, you can mix SQL like this. The manual says that as long as there is only
one SELECT in there you should be fine. And this is the case when I test sql
statement and when I do a <!--#var sqlMixed--> however it doesn't seem to
work with the single parameter access url notation.

> <out on a limb>
> 
> I'd suggest decomposing this one SQL Method into three separate
> SQLMehthods and calling them from the action document.  For example:
> 
> dtCompleteARegistration ==
> 
> <!--#call qryUpdateRoles-->
> <!--#call qrySelectUserInfo-->
> <!--#call qryDeleteOldUnregRecord-->
> 
> 
> </out on a limb>
> 
> >  where qryCompleteReg is 
> >  
> >  UPDATE users
> >  SET roles = 'Customer'
> >  WHERE username = 
> >    ( SELECT unregUsers.username
> >      FROM unregUsers
> >      WHERE MagicNumber = <!--#sqlvar MagicNumber type=string-->
> >    )
> >  
> >  <!--#var sql_delimiter-->
> >  
> >  SELECT users.username, fullName, email
> >  FROM users, unregUsers
> >  WHERE MagicNumber = <!--#sqlvar MagicNumber type=string--> AND
> >  unregUsers.username = users.username
> >  
> >  <!--#var sql_delimiter-->
> >  
> >  DELETE
> >  FROM unregUsers
> >  WHERE MagicNumber = <!--#sqlvar MagicNumber type=string-->
> >  
> >  Testing this sql_mehtod using the manage interface works 
> >  perfectly but when
> >  I use it from the url above it seems to work however doesn't 
> >  actually do the
> >  UPDATE or DELETE (The SELECT works however).
> 
> --Rob
>