[Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method
Rafael Alvarado
alvarado@phoenix.Princeton.EDU
Mon, 21 Jun 1999 08:55:24 -0400
Thanks -- your info helps. It isn't precisely what I was looking for,
though.
What I want to know is how to replace the default data input page for a Z
SQL Method that takes arguments with one of my own.
In looking at the source of the automatically created search interface, I
noticed that the path info "manage_test" is added to the url of the target
query, and that the value is passed as a cgi variable. So I've been able to
do what I want to do.
But is this the "right way to do it" in Zope?
-----Original Message-----
From: Alexander Staubo <alex@mop.no>
To: Zope Mailing List (E-mail) <zope@zope.org>
Date: Sunday, June 20, 1999 10:05 PM
Subject: RE: [Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method
>If I understand your problem correctly, you'd like to pass form
>variables to the SQL Method? If so, here's one way of doing it:
>
> <!--#call "Test_sql(REQUEST)"-->
>
>This will essentially make REQUEST part of the namespace accessible to
>Test_sql. Note that this would lead to problems if your SQL Method
>refers to variables that should not be overrideable by REQUEST, such as
>security-related "where" conditions.
>
>To avoid such cases, pass all pertinent variables explicitly, like so:
>
> <!--#call "Test_sql(name = REQUEST.name, salary = salaryfilter)"-->
>
>This prevents malicious users from requesting URLs like
>http://www.foo.com/ViewEmployees?name=myname&salary=40000 (assuming you
>want to block this, of course).
>
>Does this answer your question?