[Zope] sqltest vx. var
Rob Page
rob.page@digicool.com
Tue, 9 Mar 1999 11:05:08 -0500
> >Something I'm just curious about...
> >
> >where <!--#sqltest name column=column_name type=column_type-->
> >
> >VS.
> >
> >where column_name = <!--#var name-->
> >
> >Is the only advantage of using the first (sqltest) the type
> checking? I
> >can't find any other obvious advantages.
> >
>
> I haven't played with it too much but I think that Zope
> handles undefined
> variables properly if you do the sqltest.
>
> ie.
>
> where <!--#sqltest name column=column_name type=column_type-->
> and <!--#sqltest name2 column=column_name2 type=column_type-->
>
> will work if name2 is not defined.
>
> It also handles the quoting and SQL syntax (such as doubling
> single quotes).
Absolutely... we ran into some situations where the SQL was so dynamic
potential security problems arose. sqltest and sqlvar are designed to
reduce that exposure.
Additionally, we've found a very common rhythm where a search UI might
expose all of a large percentage of the available data elements in the
RDBMS. Using sqltest lets the user not specify one or more parameters
without a lot of messy <!--#if --><!--#/if --> stuff in the SQL Method.
--Rob