[Zope] variable SQL statements - from external methods
Jim Penny
jpenny@universal-fasteners.com
Tue, 18 Sep 2001 17:35:44 -0400
On Tue, Sep 18, 2001 at 03:32:39PM -0600, ed colmar wrote:
> Hi All.
>
> Jim and several others were helping me to get my variable SQL methods
> working right. They're great and do everything I want form the test window.
> When I call them from my external method, they come back with a REQUEST
> error.
>
> This is how I call it:
This has not been tested, an I make no representation that it works.
try:
>
> mastertablename = "sometablename"
> self.SQL_create_master_table(mastertablename=mastertablename)
REQUEST.set('mastertablename', 'sometablename')
self.SQL_create_master_table(mastertablename=mastertablename)
or maybe (if you have not a REQUEST at hand)
self.REQUEST.set('mastertablename', 'sometablename')
self.SQL_create_master_table(mastertablename=mastertablename)
>
> Then I get:
>
> Error Type: Bad Request
> Error Value: ['mastertablename']
>
> Whats the syntax to shove this variable and it's value inside the request?
> Or am I doing something else wrong?
>
> Thanks everyone!
>
> -ed-
>
Again, just so everyone is aware. You have to do your own
enforcement and/or quote checking if you do this. You want
to be real sure that the user cannot supply something like
'table test (garbage text); drop table my_lifes_work'
as the value for mastertablename. At the very least you want
to reject any names with semicolons or periods, and probably want
mastertablename to be a span of [a-z0-9].
> > CREATE TABLE <dtml-var mastertablename>
> > (
> > ....
> > )
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>