On Mon, Jul 20, 2009 at 12:07 PM, Thomas D.<[email protected]> wrote: > Hi Andrew, > > you wrote: >> I only granted access to that one column to the web user account, but >> that appears to be insufficient since the query generated by the >> validator by way of Zend_Table attempts to select all columns: >> >> SELECT TOP 1 "InviteeCredentials".*, "InviteeCredentials"."LoginID" >> FROM "InviteeCredentials" WHERE ("LoginID" = '[email protected]') >> >> I can get around this by either granting SELECT permissions to the >> whole table or by building a view that contains only the column(s) I >> want the web user to be able to select, but that should not be >> necessary, kind of like driving a tack with a sledgehammer. Why does >> the validator need to include any columns other than the one that you >> pass to the constructor? For that matter, this query would provide all >> the information the validator needs to be able to do its job: >> >> SELECT TOP 1 'Exists' AS 'Exists' FROM "sometable" WHERE "somecolumn" >> = 'testvalue' > > I ask the same question some days ago without any response [1] but someone > has changed it [2]. > Are you using the latest ZF version? > > > See also: > ========= > [1] > <http://www.nabble.com/Zend_Validate_Db_Abstract-ineffecttive-and-expensive--tt23917431.html#a23917431> > [2] <http://framework.zend.com/code/changelog/Zend_Framework?cs=16010> > > > -- > Regards, > Thomas > > > >
Hmm. I missed that somehow. I did search the archives before I posted and the only messages I came up with involving the new validators were the release notices for 1.8. I think right now I've got 1.8 installed where I'm developing. We're still running 1.6 or 1.7 in production right now, and haven't upgraded because of a couple substantial things that changed in 1.8 that will break existing apps until we have time to fix them. So 1.8.4 should resolve this? On a tangential note, this is a common issue I seem to have with ZF database handling. There is a lot I like about the framework, but it does not seem to lend itself to a design paradigm that uses stored procedures for database access. True, you CAN execute procedures via the framework, but all of these built-in goodies are dependent on Zend_Db_Table and lean heavily toward granting full access to all objects in the database. It would be nice to see some of the features like Db_RecordExists accept arrays and/or Zend_Config instances where you could optionally define a procedure name and some parameters rather than just a table and column name. Andrew
