[Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method

Rafael Alvarado alvarado@phoenix.Princeton.EDU
Mon, 21 Jun 1999 08:59:51 -0400 

Actually--the solution I posted is not satisfactory, since it produces a
page with the config menus, etc.  I suppose what I want then is to produce
my own "manage_test" handler.

-----Original Message-----
From: Alexander Staubo <alex@mop.no>
To: Zope Mailing List (E-mail) <zope@zope.org>
Date: Sunday, June 20, 1999 10:05 PM
Subject: RE: [Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method


>If I understand your problem correctly, you'd like to pass form
>variables to the SQL Method? If so, here's one way of doing it:
>
>  <!--#call "Test_sql(REQUEST)"-->
>
>This will essentially make REQUEST part of the namespace accessible to
>Test_sql. Note that this would lead to problems if your SQL Method
>refers to variables that should not be overrideable by REQUEST, such as
>security-related "where" conditions.
>
>To avoid such cases, pass all pertinent variables explicitly, like so:
>
>  <!--#call "Test_sql(name = REQUEST.name, salary = salaryfilter)"-->
>
>This prevents malicious users from requesting URLs like
>http://www.foo.com/ViewEmployees?name=myname&salary=40000 (assuming you
>want to block this, of course).
>
>Does this answer your question?
>
>--
>Alexander Staubo             http://www.mop.no/~alex/
>"It has taken the planet Earth 4.5 billion years to discover it is
>4.5 billion years old." --George Wald
>
>>-----Original Message-----
>>From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
>>Rafael Alvarado
>>Sent: 21. juni 1999 04:01
>>To: zope@zope.org
>>Subject: [Zope] Newbie Q: Passing REQUEST.form data to a Z SQL Method
>>
>>
>>I have a Z SQL Method that takes an argument.  It was
>>constructed with the
>>"Add" --> "Z SQL Method" form.  The method works fine when the
>>argument is
>>provided by the automatically built search interface when testing it.
>>
>>Now, how do I have the argument value supplied by a DTML page
>>that passes
>>the value directly as a REQUEST.form object?
>>
>>It seems that this should be a very simply problem, yet I have
>>search all
>>available documents for an answer without success.  Thanks to
>>anyone who can
>>help
>>
>>Rafael C. Alvarado, Coordinator of Humanities and Social
>>Sciences Computing
>>McGraw Center for Teaching and Learning, Princeton University
>>C-15-E Firestone Library, alvarado@princeton.edu
>>
>>
>>_______________________________________________
>>Zope maillist  -  Zope@zope.org
>>http://www.zope.org/mailman/listinfo/zope
>>
>>(For developer-specific issues, use the companion list,
>>zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>>
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://www.zope.org/mailman/listinfo/zope
>
>(For developer-specific issues, use the companion list,
>zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>