RE: [Zope-dev] CST 0.8 Updater Fixed...
Sorry to contradict you Chris, but it was actually Sgt. Shultz who stated that famous line. It's not often I can contribute so I thought I would give something back! 8^) Allen (active member of ZA - -Zopaholics Anonymous) -Original Message- From: Chris McDonough [mailto:[EMAIL PROTECTED]] Sent: Friday, April 27, 2001 12:21 PM To: Chris Withers; [EMAIL PROTECTED] Subject: Re: [Zope-dev] CST 0.8 Updater Fixed... I stopped the above by wrapping the code as follows: snip Cool! I wonder why it's necessary? Something to do with the weirdy mounted internal session data container? As Colonel Klink says so well, I see nussing! ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] ZODBCA questions...
We too are having problems connecting to Access2000 with ZODBCDA. Seemed to be working fine (and I guess it still does) but it is slowing our whole site down. all our parts were playing together very well until (we think) about the 2.3.x introduction. Our site grinds to a halt and is very slow in every aspect; usually in the morning but on and off throughout the day. We tried some caching in various places which seemed to help for a while but it is slowing back down again. Access2000 on Win2000 with ODBC connection to Zope with ZODBCDA. Could it be the single threadedness of either the DA or Win2K ODBC driver or Access2000 itself?? We think we have narrowed it down to the database causing the slowdown. Considered a move to MySQL as it is installed. Would the ZODBCDA to MySQL cause similar problems? Better to use the native My SQL DA? Anyone else running into same problems? Have any options to try? Thanks Allen -Original Message- From: Tim McLaughlin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 10, 2001 7:51 AM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Re: [Zope-dev] ZODBCA questions... Andy- We've had no probs with ZODBCDA connected to SQL Server (7 and 2000). What leads you to think it's a prob with the DA? Tim Message: 2 From: "Andy McKay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Mon, 9 Apr 2001 10:45:55 -0700 Subject: [Zope-dev] ZODBCA questions... Im getting some performance issues with my sites, im connecting Zope to a SQL Server (not using ZEO). I've got suspicion, but no proof, that its ZODBCA that is the problem. Does anyone have experiences with this on large sites and / or a suggestion to replace it? Cheers. -- Andy McKay. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Bad: Re: [Zope-dev] ZSQL using LIKE operator
Got it. Making the change now. Thanks for keeping an eye on this thread. What about the sqltest suggestion on posted on this thread? Or do sqltest and sqlvar handle DB calls in a similar fashion? Thanks -Original Message- From: Jon Franz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 08, 2001 3:54 PM To: '[EMAIL PROTECTED]' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL query that could allow mischievous people to tamper with your Db and possibly hack your box (depending upon what DB you are using, how it is configured, what user it runs as, etc) This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to formats usable by your DB, including escaping of bad characters. instead, do This: SELECT * FROM table WHERE keywords LIKE dtml-sqlvar "'%' + my_var + '%'" type=string the expression inside the quotes will handle adding the %'s to the beginning and end of your string. Sorry about the correction, but this Can be a big security hazard... ~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry Message: 9 Date: Thu, 08 Feb 2001 07:32:48 -0500 Subject: Re: [Zope-dev] ZSQL using LIKE operator From: Jens Vagelpohl [EMAIL PROTECTED] To: "Schmidt, Allen J." [EMAIL PROTECTED], [EMAIL PROTECTED] just write it out like: SELECT * FROM table WHERE keywords LIKE '%dtml-var name="my_var"%' jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: Re: [Zope-dev] ZSQL using LIKE operator
Not taken as being harsh from where I stand! The more we know...the better! Thanks for the guidelines and the URL. It has been passed on to the group that handles the MySQL on our server. Have not started using it for Production, but will be soon. From a recent post, I noticed that this topic might be better suited for the normal Zope list. Would this be accurate? Comments welcome on accepted topics. Thanks Allen -Original Message- From: Jon Franz [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 10:18 AM To: 'Schmidt, Allen J.' Cc: '[EMAIL PROTECTED]' Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator sqltest just creates the full string of the where clause segment for the test using the same kind of 'safe' sql-string logic as sqlvar: so you should be able to replace the value to test against with any valid python expression, such as the one below where the % operators are concatenated onto the variable holding the value you want to test against. :) As for the difference between dtml-sqlvar and dtml-var sqlquote (in case anyone is confused), an sqlvar tag requires a type value and will not only perform an sqlquote on the value being inserted into the statement, but will do any/all type conversion/stripping (letters from numeric values, etc) needed based upon the requested type. If anyone is concerned/puzzled by the security hazards I listed below, here is a URL describing problems associated with bad data used within queries and a mysql DB: http://www.mysql.com/doc/G/e/General_security.html See the bullet point beginning with 'Do not trust any data entered by your users.' Sorry if I seemed harsh in my original post, but security is my bread and butter, so I may tend to be Loud when I see something wrong... PS: In order to increase the safety of ZSQLMethods, maybe the basic dtml-var tag should be made illegal inside it? (forced usage of the safe form would break some existent code, possibly, but would avoid confusion such as this in general - and thus be safer) -Original Message- From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 7:01 AM To: 'Jon Franz'; '[EMAIL PROTECTED]' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator Got it. Making the change now. Thanks for keeping an eye on this thread. What about the sqltest suggestion on posted on this thread? Or do sqltest and sqlvar handle DB calls in a similar fashion? Thanks -Original Message- From: Jon Franz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 08, 2001 3:54 PM To: '[EMAIL PROTECTED]' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator No, this is bad!! Do NOT do this - it will allow Bad SNIP ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] ZSQL using LIKE operator
Yup...You're right. I found an item that had a single quote in it. I tried it and the query blew up. then I added parts you suggest, and bingo...works fine. Thanks! To get around another problem I noticed... I have a keywords text field to search through everything in every category. On the same page, I have links which pass on the category number to the ZSQL method. The keywords FORM uses a hidden category field which I set to ="" -- worked fine. But if I used the URL to jump right to the category listings, there was no keyword to pass. I just set an empty property named 'keywords' and then if the URL search is used, keywords has a 'value'. I am sure there is a more elegant way to do this..but it works fine. Thanks again guys! Allen -Original Message- From: Casey Duncan [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 08, 2001 11:11 AM To: Jens Vagelpohl Cc: Schmidt, Allen J.; [EMAIL PROTECTED] Subject: Re: [Zope-dev] ZSQL using LIKE operator Jens Vagelpohl wrote: just write it out like: SELECT * FROM table WHERE keywords LIKE '%dtml-var name="my_var"%' jens on 2/8/01 7:17, Schmidt, Allen J. at [EMAIL PROTECTED] wrote: I have been through the docs, searched a variety of locations, and cannot find anything on how to resolve a query which I need to read: SELECT * FROM table WHERE keywords LIKE '%keywords_variable%' dtml-sqltest has 'op=like' and when set to 'type=string' produces the LIKE operation in the query, with single quotes, but I cannot get it to 'wrap' the keywords with the percent characters and THEN the single quotes to produce that which I have in the query above. Ideally what I need to produce would be the query to search through some text in several fields by the keyword_variable (IF any keywords are provided) AND/OR within a specific category of information. If I can get the syntax to solve the above situation I think I can get dtml-sqlgroup to sort out what information is provided and construct the query accordingly. Sorry for the length of this newbie question but I am stumped on this one. And, so ends my lurking status. Thanks! Allen SELECT * FROM table WHERE keywords LIKE '%dtml-var name="my_var" sql_quote%' would be a safer bet. Otherwise a value of my_var with a single quote in it wouldn't work. -- | Casey Duncan | Kaivo, Inc. | [EMAIL PROTECTED] `-- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ZSQL method - Can it 'resolve' a property value?
I have an index_html which runs queries that count the number of items in a
category and displays the number next to each category which is a link to
the SearchResults page that will pass the name of the property to the next
query. This is how I do the count part:
(dtml-in countAnnouncementsdtml-var announcements null=""/dtml-in)
I have a sql method for each count query and each uses a property (like
announcements above) that contains a list of numbers (i.e. Announcements
has: '001','002','003','004' )
So the query does a WHERE category IN ('001','002','003','004') statement by
resolving the property and getting the list of numbers. This part works
well.
Now,...
When I try to do the same thing on the SearchResults page, using a new sql
method, I cannot get the property to resolve. I try using an attribute of
the category for testing so it prompts for the category name when I test it.
I use the MULTIPLE attribute with a DTML-SQLTEST to produce the "WHERE IN"
type of query. I type in the name of the property that contains the list of
numbers and all I get for the query is: WHERE category =
('nameOfProperty')
This makes less sense as I am describing it, but it may be clear to someone.
Thanks
Allen
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
