Re: [Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods

2009-02-17 Thread JPenny
Yes, with a stored procedure the DB does not have to reparse and
prepare a new plan for every query.  This can be a major win.  Esp. 
on Oracle.





Remy Pinsonnault remypinsonna...@gmail.com 
Sent by: zope-boun...@zope.org
02/17/2009 06:37 PM

To
zope-db@zope.org, z...@zope.org
cc

Subject
[Zope] Stored Procedures Versus ZSQL Methods






Hello,

We have a Zope application with thousands of Z SQL methods connected to an 
Oracle Database.

Our DBA want us to develop our new applications using stored procedures 
called through external methods, instead of using directly Z SQL methods, 
for performance issues and memory usage.

Do stored procedures will allow better performance?

Thanks in advance

Rémy___
Zope maillist  -  z...@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


Re: [Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods

2009-02-17 Thread JPenny
No, ZSQL really predates bind variables.  That is, they we
available on a few systems, but were rare.  If the Oracle 
specialist has a reason for going to external methods, like
his server is seriously loaded, I would pay attention to him.
If he is just following some set of best practices, well, that
is a political problem for Remy.

Using external methods will be more work for the zope writer. 
I don't know enough to comment seriously on security issues, 
but I think that using procedures, like using bind variables, will 
make  SQL Injection much harder.





Cynthia Kiser cnk+z...@caltech.edu 
02/17/2009 06:44 PM

To
jpe...@ykksnap-america.com
cc
Remy Pinsonnault remypinsonna...@gmail.com, zope-db@zope.org
Subject
Re: [Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods






Quoting jpe...@ykksnap-america.com jpe...@ykksnap-america.com:
 Yes, with a stored procedure the DB does not have to reparse and
 prepare a new plan for every query.  This can be a major win.  Esp. 
 on Oracle.

Does ZSQL allow the use of bind variables? If so and the database has
a correctly sized query cache, there shouldn't be much reparsing for
repeated queries. 


___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


Re: [Zope] ExternalMethod - add new parameter

2008-04-08 Thread JPenny
Zope itself should not be running as root.  The external method will run 
as
whatever user zope is running as.

If you insist on doing this kind of thing, which is a pretty bad idea, 
then
use os.system(...) or one of the popen(...) commands to call another 
program
that you have permitted root access by a somewhat controlled process,
such as sudo.  At least then, you will have a log of changes (unless you 
make
a security mistake and the log can itself be altered).

jim penny 




Chris Withers [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
04/08/2008 09:52 AM

To
rishi pathak [EMAIL PROTECTED]
cc
Dieter Maurer [EMAIL PROTECTED], zope@zope.org
Subject
Re: [Zope] ExternalMethod - add new parameter






rishi pathak wrote:
  I dont have a need to run all the external method as root, 
only
 some of them. 

You seem to be carefully ignoring the fact that Dieter is pointing out 
that this isn't possible ;-)

Chris

-- 
Simplistix - Content Management, Zope  Python Consulting
- http://www.simplistix.co.uk
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] a couple of basic questions

2007-06-20 Thread JPenny
[EMAIL PROTECTED] wrote on 06/19/2007 08:20:44 PM:

 Hi, thank you for taking the time to read this.
 
 1. I'm trying to learn to write a website using zope, the progress 
 is good but i need to understand how can i call an zope object (ZPT 
 or SQL or Script) from a script in this setup: 
 
 /root
 /mysite
  /db
 sql_do_something
  /script
 call_sql_do_something
  index_html
 
 
 i tryed to call it using sql_do_something = 
 context['db/sql_do_something'] hoping that maybe using aquisition 
 ... i can get the script ... but i get the message that he can't 
 find the object. 

Maybe context['db']['sql_do_something'].  I don't remember. 

 
 the only way i managed to call it is ... if the files are in the same 
dir.
 im currently using them this way ... but it's gonna get a mess soon,
 all those scripts and sql and ZPT in the same dir.

I actually want all of them bundled.  I do a folder per project, and 
generally
want most of the non-pervasive stuff necessary for a single application in
a single folder, the logic being that I know where to start looking when a 
problem
or extension request happens.

Most folders are 50 to 100 objects, and it just hasn't been an issue to 
me.
The worst is nearing 600 objects, which is teetering on the edge.

 
 2. I'm not writing products, just simple ZPT and script ... and i 
 want version control for them, i have svn installed but ... the 
 files are all inside zope database (i don't even know how the 
 database file is named). Is there a svn plugin or a way to add those
 files to repository?  I think that adding the entire zope database 
 is a bit awkward ... hard to diff etc. 

Yes, look at FileSystemSite (http://www.infrae.com/download/FileSystemSite 
for
source).  Or you can install CMF.  I seriously wish that FileSystemSite 
would
be moved into Zope core.

There are older methods of syncing the ZODB to cvs.  Generally, these are
to be avoided, they work fine when they work, but when they fail they are
difficult to resync.

jim penny
 
 3. Almost the same as the svn problem ... i want to backup my files 
 from time to time .. db and code, i know how to backup my mysql db, 
 but i don't know how to get the zope files.
 I think i i find the answer for the question nb 2, number 3 will be the 
same. 
 
 Thank you, expert Zope programmers.
 
 
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


RE: [Zope-DB] Using dtml-vars in ZSQL methods?

2007-06-18 Thread JPenny
 
 I also have a broader question:  When one is composing dynamic SQL in 
Python
 scripts, what are the pros and cons of executing them by going directly 
to
 the database adapter (as suggested above) vs passing it in as the sole
 argument of an empty ZSQL method?  By empty ZQL method I mean 
something
 like:
 

There are no pros and cons.  Only cons.

There is a good argument to be made that ZSQL methods are entirely
a bad idea -- that only prepared statements should be supported, as it
is far harder to break security.

But, every use of dtml-var ... in a ZSQL method requires that the 
argument be examined and correctly SQL-Quoted.  For example, what is
to keep someone from entering 13225, 12337; delete from person in 
your web form?

Further, you have greatly complicated verification and maintenance.  It
no longer is enough to test the ZSQL method to be sure that it operates
as expected.  You have to examine every call-point to determine what the
SQL method is doing.  And you have to examine every argument to be sure
that it has been quoted properly and you aren't open to SQL injection.

Charlie has already given the best answer -- use a really simple method 
like:
delete from person where person_id = dtml-sqlvar foo type=int, and
call it once for each person you have to delete.  SQL injection is
impossible, since foo is verified to be an int just before it is used.

Now, there are times where dtml-var ...  is unavoidable;  IN clauses and
LIKE clauses are the principal ones.  In either case, you really need to
verify the arguments.  At the bare minimum, look at dtml-var ... 
sql_quote.


jim penny


___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


Re: [Zope-DB] Please help me about driver adapter

2007-02-16 Thread JPenny
An alternative is:

select * from students
where surname like '%dtml-var surname sql_quote%'

This is a bit more succinct, but if you use it, be sure not to
forget the sql_quote, or you will be open to sql injection problems.

jim penny

[EMAIL PROTECTED] wrote on 02/16/2007 02:57:37 AM:

 On Fri, 2007-02-16 at 07:38 +0100, robert rottermann wrote:
  I do not think any one of us can help you unless you tell us what
  exactly your problem with installing pymssql ist.
  by the way: do you mean MySQLdb?
  
  there is very good  documentation on using Z SQL in the zope book:
  http://www.plope.com/Books/2_7Edition/RelationalDatabases.stx
  
  there you find examples how to use a query with like.
  robert
 Here's an example of how to use like and wildcards in sqlvar's
 
 select * from students
 where surname ilike dtml-sqlvar expr='%'+surname+'%' type=string
 
 Regards
 Garry
 
 ___
 Zope-DB mailing list
 Zope-DB@zope.org
 http://mail.zope.org/mailman/listinfo/zope-db

___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


Re: [Zope] SSL and Apache

2007-01-11 Thread JPenny
[EMAIL PROTECTED] wrote on 01/11/2007 12:07:37 PM:

 Hi,
 
 I am writing a thesis about the security of Zope and have these
 questions. I am wondering if this is the right place to ask.
 
 Is Zope behind Apache the only solution to provide SSL connection to 
Zope?

No, but it is the most common setup.  Zope is believed to be very secure,
but it has had, in no way, the amount of exposure, and thus 
battle-hardening
that Apache has.

Moreover using another web server in front of Zope has other benefits --
  1)  Static content can usually be displayed faster using a system tuned
  for static content, rather than one tuned for dynamic content.
  2)  URL-rewriting makes it possible to transparently distribute site
  site content to multiple Zope versions or multiple machines.
  3)  In some circumstances, the front-end webserver can provide caching
  services, reducing the load on the Zope portion.

 
 If not what are the other options?

Note:  any SSL proxy can be used.  Apache is just common, and does
URL-rewriting.

 Have there been any work on making Zope being able to handle SSL itself?

It has been done in the past.  I don't think that there is a current
patch available.

 If not, why it is hard to?

Not particularly hard.  You just don't get the other side-benefits.


jim penny


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Isn't DTML more like what other frameworks do?

2007-01-08 Thread JPenny
[EMAIL PROTECTED] wrote on 01/08/2007 01:01:26 PM:

 Why (the hell) are you (still) using DTML (as newbie). You are 
strongly
 encouraged to use ZPT.
 
 My sense is that ZPT solves a problem which for most of us does not 
 exist. If you wish to have designers work directly on markup in an 
 HTML WYSIWYG editor then yes, ZPT is great.
 
 What does matter is that DTML is very similar to RHTML (as in Ruby 
 On Rails), ASP, etc. ZPT requires a new way of thinking. I would 
 much rather convert RHTML to or from DTML than to or from ZPT.
 
 So I don't really get the benefit of using ZPT. The fact that no one
 outside of Zope seems to have created a ZPT-like solution suggests 
 to me that ZPT, as I said, solves a problem which doesn't exist. 

I initially resisted ZPT, strongly.  But, the designer/developer
dichotomy is not the real reason to use ZPT.  The real reason is that
ZPT makes it very difficult to generate ill-formed pages.

A secondary reason, is that if you are doing a lot of work with forms,
it is actually much easier to create a single forms that handles both
initial input and correction of errors.

jim penny
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] no accounts in root user folder?

2006-08-10 Thread JPenny
[EMAIL PROTECTED] wrote on 08/10/2006 
02:02:28 PM:

 Vangelis Mihalopoulos wrote at 2006-8-10 10:58 +0300:
 I have a zope app in a folder and have an exUserFolder in there to 
 authenticate the app's users. The app is working fine and i get 
 authenticated by the exUserFolder and everything works. I tried to 
 delete the single admin account (with Manager privileges) from the 
 root standard user folder and the app breaks with:
 
 Unauthorized: You are not allowed to access 'call_backend' in this 
context
 
 where 'call_backend' is an External Method called by a Python Script. 
 All objects in zope are owned by the admin. Could this be causing the 

 problem?
 
 Others already answered yes.
 
 I just would like to add that this is due to the executable owner
 feature, introduced in Zope 2.2 to make Trojan horse attacks much
 more difficult. You may still be able to find the corresponding
 documentation (maybe even in the Zope Book (2.7 edition on Plope.org).
 
 

I would also add.  It is usually a real good idea to put only
admin users in the root folder anyway. 

This gives you additional protection from several problems:  it makes
database connection methods much harder to see, it protects you from
bugs in add-on acl_user products, it keeps people from doing things
like adding a siteroot to your root folder, and it keeps people out of
the Control_Panel.

The only thing that I can imagine that you would want non admins to have
access to in the root folder is the error_log. 
In a large organization, I could see that you would want programmers
who do not have admin rights to be able to see it.  That might take some
special handling, but I suspect that you could use a proxy role or
even just set its access to Anonymous (although that may lead to 
unintended information leakage).

jim penny
 
 -- 
 Dieter
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] Is it possible to render a TAL expression from a Page Template?

2006-06-21 Thread jpenny
Suppose I have a variable foo that has value request/name|nothing.

Is it possible from a Python Script to have this evaluated as a TAL
expression?

Alternatives?

Thanks
jim
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Is it possible to render a TAL expression from a Page Template?

2006-06-21 Thread jpenny
Thanks, the external method appears to work fine.  I thought about the
silly Page  Template, but forgot the path: modifier exists!  But the EM
should be far faster, anyway.

Thanks again.

jim

[EMAIL PROTECTED] wrote on 06/21/2006 04:04:31 PM:

 En/na [EMAIL PROTECTED] ha escrit:
  Suppose I have a variable foo that has value request/name|nothing.
  
  Is it possible from a Python Script to have this evaluated as a TAL
  expression?
 
 AFAIK TALES machinery ($ZOPE_HOME/lib/python/Products/PageTemplates) 
 can't be accessed from restricted code. Maybe ZTUtils, 
 PythonScript.standard or other module expose it in some way, I don't 
know.
 
  Alternatives?
 
 * External method:
 
 from Products.PageTemplates.Expressions import getEngine
 
 def evalTAL(talstr, **kw) :
 engine = getEngine()
 comp = engine.compile(talstr)
 return engine.getContext(**kw).evaluate(comp)
 
 then, from a PythonScript do:
 
 result = context.evalTAL(request/name|nothing, here=context, 
 request=REQUEST)
 
 
 * Create a PageTemplate named evalTAL with a body like:
 
 foo tal:replace=python:path(options['param'])/foo
 
 then, from a PythonScript do:
 
 result = context.evalTAL(param=request/name|nothing)
 
 result will always be an string. Not a serious alternative, just a 
 creative way.
 
 
 
 
 HTH
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Zope Recordset Object

2006-06-16 Thread jpenny
http://mail.zope.org/pipermail/zope-dev/1999-September/001414.html

The only auxiliary structure I ever use is names, i.e.
n2i = {}
res = container.foo_zsql()
nms = res.names()
for i in range(len(nms)):
  n2i[nms[i]] = i

Then I can address by name as in
res[i][n2i['column_name']]

jim


 Hello,
 I have a ZSQL Method, which is called by my python
 script.
 However, I am curious as to what type of object is
 returned when that call is made.
 It's some sort of a recordset (or resultset) object
 that behaves like a list...it doesn't seem to be a
 dictionary object though, but I can't find any object
 reference on it.  I tried using rs.keys() but it says
 that method doesn't exist in that class.
 Does anyone have a member function list (object
 reference ) that's associated with this resultset or
 can tell me what kind of object is returned?
 I gave up on google, couldn't find anything on it. 
 
 Thank you in advance!
 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Atomic ZSQL on Zope 2.7.5

2006-04-25 Thread jpenny
I think that your problem is in the fact that you have fed them all in
one long string (and may have autocommit on.)

If they were separate ZSQL methods, they would, in my experience,
roll back. 

I recommend separating them into separate methods, with one insert
per method.

jim penny

[EMAIL PROTECTED] wrote on 04/25/2006 10:38:30 AM:

 For some reason I thought ZSQL method calls were atomic, but they appear
 otherwise.
 
 
 
 Using an eGenix mxODBC Database Connection at
 /Database/PoPy_database_connection to a SQL Server 2000 back end, I have
 created a Python script to write SQL commands and feed them in one large
 string:

...

 
 
 
 How can I detect failure and maintain atomicity?
 
 
 
 
 
 Michael Maslak, Jr.
 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Generic SQL insert

2006-04-13 Thread jpenny
Great idea.  Not to be recommended in general.

This works because every field is textual, and you are
sql-quoting by using type=string.

Here are the problems:
1)  if someone reads this and does not use the type=string
tag, or equivalent, they will be wide open to sql injection.
2)  OR, they can pass a list of type with each variable.
3)  If you have to handle casts, then you will have to pass
a list of cast-types, as well.

So, you have essentially moved the problem from making at
least one insertion call per table to a single insertion method
that requires the creation of two, three, or four lists.  This does
not self-evidently require less work.

You can no longer inspect the method to see if it is correct.
You have to look to each call-point to determine what is actually
being used.  Just as bad, your application goes happily on its way if you
are missing (non-key) variables.

Keep zsql methods a simple as possible.  Use as few tricks as
possible.  Your goal is self-evident correctness, not the minimization
of typing.

jim penny




[EMAIL PROTECTED] wrote on 04/13/2006 02:23:22 PM:

 Whenever I'm using SQL databases in zope, I always seem to have to make
 a ZSQL instance for inserting into every table in my database, and they
 are all nearly the same - they just have a list of all the fields in the
 database in the parameters, then they say:
 
 insert into [table] ([list of fields]) values ([list of dtml-sqlvars])
 
 I'd much rather have a dictionary of fields and values, and just throw
 it at the DB, not having to make those queries for every table. I have
 acheived it like so:
 
 mydict = {field1:value1 , field2:value2 ,...}
 (fields,values)=zip(*myDict.items())
 context.genericInsert(table='table name',fields=fields,values=values)
 
 Where generic insert is the following ZSQL method:
 insert into dtml-var table
  (dtml-in expr=fieldsdtml-var sequence-itemdtml-if
 sequence-enddtml-else,/dtml-if/dtml-in)
  values (dtml-in expr=valuesdtml-sqlvar sequence-item
 type=stringdtml-if sequence-enddtml-else,/dtml-if/dtml-in);
 
 with parameters:
 * table - table name
 * fields - list of fieldnames
 * values - list of values in the same order
 
 What do other people think of this? Is it a really bad idea?
 
 Robert Munro
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope-dev] Re: Wishlist Item

2006-03-27 Thread jpenny
OK, sorry about raising an issue that I was not around to comment on.

First, there seems to be a good deal of confusion on what FileSystemSite
or the DirectoryView portions of CMF are.  They are simply a way to have
Zope2 programmatic content stored directly on the filesystem, including
dtml, page templates, python scripts and zsql methods, among others.

FileSystemSite does not allow filesystem access in the usual
sense, access is read-only;  objects cannot be created on the filesystem
through ZMI.  Arbitrary filetypes cannot be easily stored on the 
filesystem
at all (In fact I have no interest in that, I can always store such
files in Apache-space.)

This, or the CMF version, or something like it should be included because 
it is a large step up from pure TTW development in that it makes 
using conventional OS-level tools easier, including revision control 
systems
and editors.  It also gets the job done without all the effort of zope2
python based products.  While products are important, and indeed, at this
point the zope3 way, they don't scale down very well; and for one-off,
will never meet the external world, systems; they represent a lot of
wasted motion.  FilesSystemSite and DirectoryView represent a 
middle way between pure TTW and pure file-system development.

This is an idea that has come up at least three times, Ape was partially
inspired by it, the CMF suite has such components, and it was thought
to be worthwhile to pull out of CMF.

CMF is a lot of overhead to pull in just to get DirectoryView, and exactly
what to install to get DirectoryView and as little else as possible 
installed
is not documented.  In fact, neither is very well documented.

I don't care whether DirectoryView, or FileSystemSite, or yet another
implementation is blessed.  However, the idea of permitting all 
programmatic
content to be stored directly on the filesystem has merit and  has been
developed multiple times.  It is an option that belongs in zope2 core.

Note:  if one is chosen, I will write a draft of a chapter for the Zope 
Book
for the blessed implementation.

jim penny

[EMAIL PROTECTED] wrote on 03/26/2006 09:56:01 AM:

 Tino Wildenhain wrote:
 
  Maybe its just me but I personally dont like direct filesystem
  access in the core - if someone wants it, (s)he can pick from
  the 3rd party products - maybe there can be a list of recommended
  (active maintained) products? Direct access products should also
  carry some easily understandable warnings.
 
 I can understand that point of view for products that allow writing to 
 the filesystem, but, conceptually, what's the difference between 
 read-only filesystem access and a standard filesystem product?
 
 None, I think, but then I may have misunderstood the purpose of 
 FileSystemSite, and friends.
 
 Tim
 ___
 Zope-Dev maillist  -  Zope-Dev@zope.org
 http://mail.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Wishlist Item

2006-03-24 Thread jpenny
I don't particularly care one way or the other about ZClasses.

However, I would like to see FileSystemSite made part of the
base distribution.

jim penny
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope] Re: Ape

2006-03-16 Thread jpenny
I am perhaps being too lazy here.  What is the minimal CMF
stuff to install to get the CMFCore/FS... objcts installed?

[EMAIL PROTECTED] wrote on 03/16/2006 03:05:45 PM:

 On Thu, Mar 16, 2006 at 12:59:04PM -0500, Chris Kratz wrote:
  Hello Paul,
  
  How does the refresh interval work for DirectoryView?
 
 If I wrote it in english, it wouldn't be any shorter than the code
 in CMFCore/FSObject.py :-)   See the _updateFromFS() method,
 you can browse it on svn.zope.org.
 
 -- 
 
 Paul Winkler
 http://www.slinkp.com
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Double quote in ZSQL Method

2006-02-20 Thread jpenny
tablename.dtml-var species sql_quote
should work.  Be sure that you check that species is valid
before this call.  sql_quote should protect you from SQL injection,
but it is better to be safe.

jim



[EMAIL PROTECTED] wrote on 02/20/2006 05:46:49 PM:

 Hi,
 
 In a ZSQL Method, I have tablename.dtml-sqlvar species type=string
 and I get tablename.'species_value', what I need is
 tablename.species_value.  Any idea how I can get Zope/ZSQL to not
 put in the single quotes (or use double quotes)?
 
 Thanks,
 Jason.
 
 --
 
  Jason C. Leach
  PGP Key: 0x62DDDF75
  Keyserver: gpg.mit.edu
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [zope] : Postgre installation problem

2001-01-24 Thread jpenny

On Wed, Jan 24, 2001 at 08:36:00AM +0530, K H Subrahmanyan wrote:
 but where can I get Popy and how to install it.
 kindly give the links.
 thanks
 
PoPy is available from www.sourceforge.net/projects/popy
zpopyda is available from www.sourceforge.net/projects/zpopyda

installation of popy is in principle very easy and in practice a
bit tricky.  General instructions are: unpack it, run ./configure,
make, make install.

The make install is the tricky portion.  It needs to go into a 
directory where the python Zope is using can find it.  And that
varies depending on where you got your zope from and which distribution
you are using.

Also, make sure that postgres-dev is installed.  Some header files
are needed.

 
   -Original Message-
   From: Jerome Alet [mailto:[EMAIL PROTECTED]]
   Sent: Tuesday, January 23, 2001 6:22 PM
   To: K H Subrahmanyan
   Cc: [EMAIL PROTECTED]
   Subject: Re: [zope] : Postgre installation problem
   
   
   On Tue, 23 Jan 2001, K H Subrahmanyan wrote:
   
    I have installed postgre SQL in my linux server.
    I have installed ZpopyDA to my zope installation.
    
    but when  I run the server I get the following error.
    
    ZPoPyDA Import Traceback
    raise "The PoPy module is not installed"
    The PoPy module is not installed
   
   This is very clear.
   
   You don't have installed the PoPy module
   
   PoPy is needed by ZPoPyDA
   
   PoPy is the layer between PostgreSQL and ZPoPyDA:
   
   PostgreSQL -- PoPy -- ZPoPyDA -- Zope
   
   hoping this will help
   
   bye,
   Jerome Alet
   
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZPoPyDa doesnt find the PoPy-Module

2001-01-23 Thread jpenny

On Tue, Jan 23, 2001 at 07:41:45AM +0100, Axel Missbach wrote:
 [EMAIL PROTECTED] wrote:
  
  On Sun, Jan 21, 2001 at 11:27:30AM +0100, Axel Missbach wrote:
   Hey to all,
   having installed the PoPy-Modul-2.01. The ZPoPyDa-1.01-pre2 doesnt find
   it.
   calling "import PoPy" in the python-interprter works with out error.
   Please give me a hint.
  
  Where did your zope come from?
 I have downloaded from zope.org the version zope-2.30b2-linux2-x86.tgz

OK, I think that comes with an internal python interpreter.
Yes, indeed, it is in $ZOPE_HOME/bin.

This means that when you run python, you are probably not running the 
python that zope is running.  

I think, but am not totally sure, that the PoPymodule.so would have to go
in $ZOPE_HOME/lib/python1.5 and zope restarted for it to become
available.

(Would you try this and tell me if it works, please?)

Alternatively, one could edit z2.py to NOT use Zope's python,
or one could install the source package.  I actually recommend
the latter course.  It is a dead easy install.

Jim
 
  
   ___
   Zope maillist  -  [EMAIL PROTECTED]
   http://lists.zope.org/mailman/listinfo/zope
   **   No cross posts or HTML encoding!  **
   (Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
  
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] form question

2001-01-23 Thread jpenny

On Mon, Jan 22, 2001 at 07:55:28PM +0100, Dieter Maurer wrote:
 Oliver Vecernik writes:
   I'm designing an application gathering data with forms. Navigation
   should be done with Prev and Next buttons. As long as I'm not leaving
   the form data should be entered, processed and the *same* or another
   form should be displayed, depending on input of the user.
   
   So far I'm able to gather data, store them in a database, but can
   anybody give me a clue or point me to some docs how to control which
   form should be displayed next? It should depend on users input of let's
   say a text field.
 Look for the "RESPONSE.redirect" method.
 
 
 Dieter

Dieter, as usual, gave a good succinct answer.  But in this case, I
think that the problem is in the way the question is framed, and not
the answer.

I am going to give a completely different answer, based on what I think
the original questioner really needed, it will be a bit long.

I am assuming that the application lays in a folder called MyApplication.

I am going to use a particular coding style that I call "going nowhere",
it is actually a state machine.  I am going to use hidden variables to
hold state, you can also use cookies, database connections or other
mechanisms.

index_html is just a chain of if statements that encode what to
display next.

For example:

dtml-if "not REQUEST.has_key('current_state')"
  dtml-var entry_form
dtml-elif "current_state=='process_entry' and action=='Next'"
  dtml-var next_form
dtml-elif "current_state=='next_entry' and action=='Prev'"
  dtml-var entry_form
 .
.
 .
/dtml-if

entry_form looks like

form action=. method=post
  input type=hidden name=current_state value="process_entry"
  input type=text size=15 name=my_variable
  input type=submit name=action value="Next"
/form

(This is where the "going nowhere" comes from.  All forms use
. as the action, so the browser never goes to another folder.)

Now, it should be easy to see how to modify index_html to handle
displaying a different form depending on the previous input.
Just put in in one of the tests.

-

To elaborate this just a bit, I also typically do an error_entry__form 
that looks like:

form action=. method=post
  font color = reddtml-var error_message/font
  input type=hidden name=current_state value="process_entry"
  input type=text size=15 name=my_variable value="dtml-var my_variable"
  input type=submit name=action value="Next"
/form

and change my index_html to look like:

dtml-if "not REQUEST.has_key('current_state')"
  dtml-var entry_form
dtml-elif "current_state=='process_entry' and action=='Next'"
  dtml-var handle_process_entry_next
dtml-elif "current_state=='next_entry' and action=='Prev'"
  dtml-var handle_process_entry_prev
 .
.
 .
/dtml-if

Then 

handle_process_entry_next looks like:

dtml-call "REQUEST.set('error_message', '')"
dtml-call canonify_process_entry_next_data
dtml-call check_process_next_errors
dtml-if "error_message != ''"
  dtml-var error_entry_form
dtml-else
  dtml-var next_form
/dtml-if

(canonify_... does approriate things like stripping, converting to a particular
case, etc.; check_... enforces data consistency conditions.)

  
This is not an original idea.  I saw it when I was pretty green, myself, and
really did not understand its attraction and power.  Here are what I now see
as the benefits.  All of the application is kept in a single folder.  The
index_html is boilerplate, essentially a single long if-statement.  The
canonify_ and check_ methods are likely to be very small also, and can be
implemented in any language.  The forms are essentially pure HTML, and can
be kept very simple (OK, the error_form has a smattering of very simple
DTML to reset the last value of the user's input).  Error handling is natural
and easy to do.  You do not have to redirect.
Redirection destroys your REQUEST, forcing you to do other things to hold
information.

The cost, only that an application's folder gets to be somewhat large.

Jim Penny

 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Some help required but no sarcastic comments this time please

2001-01-23 Thread jpenny

On Tue, Jan 23, 2001 at 11:17:32PM -, alankirk wrote:
 Hi there,
 i sent an email the other week regarding problems i've been experiencing with zope 
and MySQL. I've set up a database connection for zope and mysql and it sort of works. 
I can send queries to add data to my database ok but when i send a query to get data 
from my database i get one of 3 errors and my python server that zope runs from 
stops. The errors i get are Python experienced an error in (either nothing,MYSQL.DLL 
or PYTHON15.DLL). 
 I am using Zope 2.2.2 on windows(this time i'd appreciate no sarcastic comments this 
time)
 I've sent a few emails about this problem to various people (including to this 
address) and the response has been pretty poor, i've even tried to email people 
involved with the mysql database adaptors and got no response.
 It is really important that i get this problem sorted now if possible as my final 
year project for university depends on this 'bug' getting fixed.
 
 If you can give me help on this or point me in the direction of someone who can, i'd 
be grateful
 
 Cheers
 
 Alan

Alan:

This is not meant sarcastically.

You are probably the only person who has ever tried to do this!  Probably
no one can help you.  (In case people don't remember, Alan is working
on Win9x; windows 98, as I recall.)

You are working on a platform which is known for instability, with
limited debugging capabilities.

I urge you to either change to NT/SQL Server or to Linux/MySql or
to Linux/PostgeSQL.  I can help you with the last, I suspect others
can help you with either of the first two.

Moreover, the fact that you are getting crashes in multiple places and
.dll's suggests that you have hardware problems, like an overheating CPU,
or failing RAM.

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZPoPyDA woes

2001-01-22 Thread jpenny

On Mon, Jan 22, 2001 at 12:11:31PM -0800, J B Bell wrote:
 Dear comrades in zopeness:
 
 For some time now I have been struggling trying to get Zope to talk to 
 Postgres.  I am now nearly successful and hope that the revolutionary
 spirit of fellow zopatistas will carry the day.
 
 Background:
 
 Debian 2.1r2 on a PII 600 or so (the machine is pretty loaded)
 Postgres 7.0.3
 Python 1.5.2
 PoPy 1.4.1
 ZPoPyDA 0.7
 
 The most recent vexation is simple:  after expanding
 ZPoPyDA.0.7.tar.gz (dl'ed from www.zope.org/Members/tm), there is no
 configure file and no Makefile.  Like many products, it just expands
 out into lib/python/Products/ZPoPyDA/*.  However, the README file says
 to run "./configure; make; make install".  In an acronym, WTF?

Documentation mistake.  Thierry, the main author, is French, was working 
for an Italian firm at the time of that release, and trying to document
in English.  Not an ideal situation.

 
 Bonus question:  I had a terrible time with installing PoPy itself
 until I modified the makefile to have a second -I argument going back
 to the source (.../postgres-7.0.3/src/include).  One or the other (the
 source or the installed include, that is) would result in various
 missing *.h files.  Did I install postgres incorrectly?  There was no
 .../include/catalog directory at all in the installed directories,
 which PoPy wanted.

If you installed postgres and postgres-dev from debian, it should have
installed clean.  The packages were developed under Debian!
Also note that zope-zpopyda and python-popy are part of debian.

The Debian version of these packages are a bit stale.  I should have
new ones uploaded by Next Monday.

Also, there is a far newer version available from
http://www.sourceforge.net/package/projects/popy
and
http://www.sourceforge.net/package/projects/zpopyda

Jim Penny

 
 I eagerly anticipate any clues, and thank everyone for their
 attention.
 
 --JB
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] SQL delimiter?

2001-01-17 Thread jpenny

On Wed, Jan 17, 2001 at 04:36:29PM -0800, Andy McKay wrote:
 Ive looked through the docs and Im sure I saw once (but cant see it now),
 some sort of delimiter between SQL statements allowing me to put multiple
 SQL statements in one SQLMethod. Was I imagining that?
 --
   Andy McKay.

No indeed, any number of SQL statments may be in a ZSQL Method,
although at most one may be a SELECT.

If you know your databases convention, you can use the normal separator,
i.e. PostgreSQL supports ';' as the separator.  Just do it.  This may
cause portability problems.

dtml-var sql_delimiter is supposed to be portable.


 
 
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Zope Book: UniqueValuesFor

2000-12-21 Thread jpenny

On Thu, Dec 21, 2000 at 11:03:21PM +0100, Milos Prudek wrote:
 Regarding the upcoming Zope Book:
 
 There are some examples for UniqueValuesFor method and "_usage" syntax
 (it looks that only values "range:min", "range:max" and "range:min:max"
 are possible), but these are not mentioned in the DTML reference or API
 reference. Maybe Zope Book needs a ZCatalog reference, if there are
 methods like UniqueValuesFor...
 
 I would recommend that since the current Zope Book is a giant leap
 forward, these and any other language tricks that are scattered in the
 Zope Book chapters should be briefly mentioned in the ZopeBook DTML and
 API references.
 
 IMHO there are many people like me who:
 
 - are trying to start using Zope BECAUSE OF the final availability of
 Zope Book
 - for various reasons are not very comfortable with hunting information
 around zope.org and in Zope sources (no permanent internet connection is
 a strong reason)
 - consequently expect to find all basic information in coherent form in
 Zope Book

Wonderful goals, but...
the problem that I see is that Zope contains so much and can be used in
so many ways that any book is simutaneously too limited and out of date.

Think of the technologies that Zope already embraces, DTML, python,
some XML, XML-RPC, DAV, ftp, http, HTML, SQL, LDAP, CVS, Zcatalog.  
I counted 14 SQL database adapters, alone, and I am sure I missed some.

Add in technologies coming on line such as perl, SOAP, ZPatterns, ZEO, 
CORBA, COM and others.

Add major application packages  like Squishdot, OIO, ZopeGUM, zCommerce,
etailer and others.

And this misses some biggies including on the fly graph and visual
generation.  Assuming that each can be suitable discussed in an average
of 100 pages, we have at least 22 * 100 = 2200 pages.  Books this size 
just don't fly.  (They really hurt when dropped on your foot, too).


 
 Obviously, Zope Book can't contain everything. I like the sentence "this
 is an advanced topic and it's outside the scope of this book". Authors
 have put limits to what they want to achieve. I wish that the ZB is
 coherent in the "explanation - example - reference" trio.

That is a great sentence.  Unfortunately, it is completely misleading in 
this context.  The problem is not so much what is too advanced, but what is
too basic or too specialized.  From what I have seen on the list, most newbies 
know too little HTML, too little SQL, and too little python.
(Newbies shouldn't be mucking with Zope internals, these are the things
that are 'too advanced').

But, this comes from a particular view of the elephant, one which sees
Zope as an quick web application framework.  This is hardly the only view.

I use Zope in a particular way, emphasizing HTML, DTML, python,
SQL.  It is not at all being used the way that DC intended, yet because
Zope flexibly integrates a great deal of basic technology, it can be used
reasonably well to do what I want it to do.  This is a good measure of
great technology.

Don't forget that there are 252 HowTos and 83 Quick tips in addition
to the Zope Book, the Guides, and API reference.  All of these can
be dowloaded to your computer.  You do not need a full time connection.
(And they are all bundled so that you do not have to download them one 
at a time!)

Zope is never going to be easy to learn.  There is just too much.  Yet,
Zope is not hard to begin, and the Zope Book is about making it easier
to begin.  As such, the encyclopedic detail that you are requesting is
not only unneeded; it is harmful, it gives the impression to the reader
that enormous knowledge is needed to use Zope.  This is not true.

Begin to use Zope.  Find out what it enables you to do easily.  When you
hit the hard patches, look at the tips and howtos.  Only then log onto the net.
Search Zope.org. Use the mailing list.  When you get an answer, think hard.  
Bit by bit, enlightenment will occur.  You will never know all of Zope, 
but it will become easier and easier to do harder and harder things.

And, the first six weeks are killers, the next six are a pleasure, and
then you start to regret all that you could have done better.  It is
much like the rest of life!


Jim Penny

 
 
 --
 Milos Prudek
 
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] To retrieve properties from a dtml document

2000-12-19 Thread jpenny

On Mon, Dec 18, 2000 at 09:10:54PM -0500, Ausum wrote:
 Hello Andy, thanks for the advice.
 It didn't work. Maybe I'm wrong at any point, so please tell me whether
 it worked for you.
 
 I'm aware that this problem has been discussed here before, that it
 happens because of Python's object naming, and also that there's a
 workaround at least (and just)for expressions, using _['whatever.html']
 
 Due to the kind of workflow we have, we need all of the documents to be
 editable with Dreamweaver at any moment, directly, after the daily WGET
 process. Batch-replacing every "_html" with ".html" in file names and
 content seems to be very complicated within this scenario.

Going from dreamweaver to Zope, if you are working on 
unix, batch replacing is EASY, a single find command to 
change the file names and a simple
sed script (or python or perl)  to change hrefs.  
You will need to write such a script anyway, if your servers
are Unix or Linux and your Dreamweavers are Windows.  You will
find that your windows people mix filename case randomly and
expect it to work; you will have to canonify all hrefs to a
single case convention.

If going from zope to dreamweaver, either write the corresponding
_ to . scripts and batch it, or write a checkout external script
that does it for you.  I have not thought about this latter option
very much, but the export facility should give you an example of
how to do this.  I doubt if it is much more than a day's reading
and two days coding (and this is being damn generous, as I suspect 
that this is a ten line script).

You still have given no cogent reason for using Zope.  If you have only,
or predominatly static content, you are paying a huge overhead penalty.
If you have mixed static content and dynamic content, use apache and
ProxyPass to front-end the dynamic content, and apache to serve the
static content.  Then you have no conversion worries at all on the
static content.

Jim


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Stupid File Upload Question

2000-12-18 Thread jpenny

On Fri, Dec 15, 2000 at 04:59:07PM -0800, Jonothan Farr wrote:
 What sort of problems were you seeing with LocalFS? Maybe I can fix them.
 
 Thanks,
 --jfarr
 
 - Original Message - 
 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Friday, December 15, 2000 4:22 PM
 Subject: [Zope] Stupid File Upload Question
 
 
  This is for Jos:
  
  I ran into the same problem today.  I had previously used this method,
  and it works better than LocalFS for my purposes.  Anyway, be absolutly
  sure that your form says:

Fiest, LocalFS turns out to have the same problem.  MSIE does not
interact well with method=get and file input methods.

  
  form method=post action=whatever method="multipart/form-data"
  ...
  /form
  
  Then you should be able to access REQUEST.form['attachment'].filename
  and REQUEST.form['attachment'].read()  (Well, I hope).
  
  If the method=post is omitted, Netscape (linux at least) will work.
  MSIE will not.
  
  Man I ain't got enough hair for these kinds of problems!
  
  Jim Penny

I want/need to collect some metadata along with the file.  Say I want
a file, a title, some keywords.  (And I have some idiots with 80MB files).

I would like to enforce the following:

No two files from a given user can have the same title.
A given file may not be uploaded twice by the same user with
different titles.

With LocalFS, as it stands, it is hard to determine the file that 
was uploaded.  (It is not returned by manage_upload, I could create
an id, but that has its own problems (downloading creates unexpected
files on the client PC's)).  This can be modified, but...

More importantly, it is really hard to see how to handle both of
the conditios above cleanly.  With LocalFS, I found no easy way
at all to combine the error checking implied by the metadata and
the error checking desired for the file name.

  
  ___
  Zope maillist  -  [EMAIL PROTECTED]
  http://lists.zope.org/mailman/listinfo/zope
  **   No cross posts or HTML encoding!  **
  (Related lists - 
   http://lists.zope.org/mailman/listinfo/zope-announce
   http://lists.zope.org/mailman/listinfo/zope-dev )
  
  
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] Stupid File Upload Question

2000-12-15 Thread jpenny

This is for Jos:

I ran into the same problem today.  I had previously used this method,
and it works better than LocalFS for my purposes.  Anyway, be absolutly
sure that your form says:

form method=post action=whatever method="multipart/form-data"
...
/form

Then you should be able to access REQUEST.form['attachment'].filename
and REQUEST.form['attachment'].read()  (Well, I hope).

If the method=post is omitted, Netscape (linux at least) will work.
MSIE will not.

Man I ain't got enough hair for these kinds of problems!

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Difference between Methods and Scripts?

2000-12-14 Thread jpenny

On Thu, Dec 14, 2000 at 04:56:15PM +, Hamish Lawson wrote:
 I see that the latest version of the O'Reilly Zope book now talks about
 Python and Perl *Scripts*, but refers still to DTML and ZSQL *Methods*.
 Does this reflect some actual conceptual difference between a Script
 and a Method, or is it simply because of the burden of also renaming
 DTML, ZSQL, etc?
 
 I understand that it is recommended that logic be implemented using
 Python/Perl Scripts, while DTML Methods should now be reserved for
 presentation; but I wasn't sure if that could be the rationale for the
 Scripts/Methods division, since ZSQL Methods don't really fall into the
 presentation category.
 
 Hamish Lawson
 

The whole renaming mess has been unpleasant.

The real problem is that method has a technical meaning in Python
(and perl) that predate any usage in Zope.
It happens that Python Methods do not have the same properties as
methods in Python.  This was felt to be too confusing.

But, Methods do not have any technical meaning in SQL, or in DTML.
So, it was felt that there was no large gain and much potential 
confusion in renaming something that people had been using for
some time only to make it analogous to the renamed Python Method.

I still want to see a thingy patch applied!
Long live Python Thingies!

 
 =
 Hamish Lawson  [EMAIL PROTECTED]
 
 
 Do You Yahoo!?
 Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
 or your free @yahoo.ie address at http://mail.yahoo.ie
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] PythonScripts and ExternalMethods

2000-12-04 Thread jpenny

On Mon, Dec 04, 2000 at 03:27:23PM -0500, Evan Simpson wrote:
 From: Chris Gray [EMAIL PROTECTED]
  I notice that the CVS tree for Zope2 has incorporated
 (internal)
  PythonScripts and gotten rid of (external) PythonScripts.
 This leaves the
  old ExternalMethods but without the Bindings tab.  Will
 External Methods
  eventually include this and present a form for passing
 argument values
  when the TryIt tab is used?
 
 Jim and I expect to make External Methods obsolete, rather
 than upgrading them.  In the near future, you will be able
 to get most of the functionality of External Methods from
 Python Scripts' import capability.  In the longer term, we
 expect Zope 3 to completely change the way you write Zope
 code.
 

Would you please clarify this.

Are you talking about how the interaction between Zope and
the programmer is performed?  Are you talking about API?
Or what?

In particular, are you talking about killing DTML?  This would
be very worrisome, as I have enough code that I would not like
to rewrite it all in the near future.

Jim 

 
 Cheers,
 
 Evan @ digicool  4-am
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Python Zope Method as option for renamed Python Method?

2000-11-08 Thread jpenny

On Wed, Nov 08, 2000 at 05:08:13PM +0100, Oliver Bleutgen wrote:
  Hamish Lawson [EMAIL PROTECTED] wrote
 
  Python Zope Method
  Perl Zope Method
  SQL Zope Method
  DTML Zope Method
  Rebol Zope Method
  Java Zope Method
  VB Zope Method
  Custom Zope Mthod
  etc..
 
 and perhaps let "Zope Method" become a "ZMethod", a bit shorter.

A winner by acclamation!

Now, how about internal/external?

 
 oliver
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZMethod (Safe)

2000-11-08 Thread jpenny

On Wed, Nov 08, 2000 at 01:12:12PM -0500, Evan Simpson wrote:
 From: Chris Withers [EMAIL PROTECTED]
  [EMAIL PROTECTED] wrote:
  
   Now, how about internal/external?
 
  Safe and Flexible are probably more meaningful words there ;-)
 
  ZMethod is growing though ;-)
 
 We've pretty much settled on restricted/unrestricted here.  In honor of the 
presidential Indecision
 2000 race, we're seriously thinking about revamping and rerunning the poll, so 
ZMethod may well get
 its moment in the spotlight.
 
 Cheers,

Well, you guys are the Zen Masters of Zope.  But, I am going to give one
more attempt at explaining why this decision is lacking in enlightenment.

The presumed audience of the terminology is newbies, not security managers.
We want everyone, but newbies in particular, to use the restricted method
whenever possible.  But no newbie wants to be restricted/strait-jacketed/
'kept from the cool stuff'.

You are proposing a term with negative conotations for the option that
we want people to prefer!  

Moreover, some meritorious suggestions for names were overruled for being
too long, or hard to say.   Unrestricted/Restricted fail this criterium
also.  Unrestricted Zope ZMethod (8 syllables, 26 letters) is quite a 
mouth full.

I understand your reluctance for Safe, with its immediate antonym Unsafe.

But, please find a positive term for the Restricted version.  Perhaps
Ordinary/Power, ''/Power, Ordinary/Super, ''/Super, Muggle/Wizard.

[If you use Super, the documentation can begin:
Stronger than a locomotive, able to leap strong buildings at a single
bound, able to import any module, able to escape for a secure lockbox, 
a method with Super powers.  But don't unleash this method without
understanding it fully!]

Damn, I am beginning to think that Tame Snake Thingy and Wild Snake
Thingy are the best yet!

Hoping this increases satori.

Jim


 
 Evan @ digicool  4-am
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZMethod (Safe)

2000-11-08 Thread jpenny

On Wed, Nov 08, 2000 at 05:48:22PM -0500, Jason Cunliffe wrote:
 Evan Simpson [EMAIL PROTECTED] wrote
   Safe and Flexible are probably more meaningful words there ;-)
  
   ZMethod is growing though ;-)
 
  We've pretty much settled on restricted/unrestricted here.  In honor of
 the presidential Indecision
  2000 race, we're seriously thinking about revamping and rerunning the
 poll, so ZMethod may well get
  its moment in the spotlight.
 
 lol
 
 Good news: 'ZMethod' is nice and 'sounds' good, however one says it.
 
 'safe' / 'flexible' imho=nice ideam but a little too subjective, not
 informative enough
 
 'restricted' / 'unrestricted'
 
 hmm.. better because more functional, but how about:

Yes, but drives people away from the prefered option.  (restricted is
prefered!)

 
 
 1. 'closed' / 'open'

Both are equally open, especially in the new 'Wild Python Thingys are
editable via the Web' paradigm.

 
 2. 'builtin' / 'custom'

Both are custom.

 
 3. 'local' / 'custom'

???

 
 4. 'client-side' /  'server-side'
 

Both are server-side.

 ???
 
 - Jason
 
 
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] ZMethod (Safe)

2000-11-08 Thread jpenny

On Wed, Nov 08, 2000 at 06:13:54PM -0500, Evan Simpson wrote:
 From: Jason Cunliffe [EMAIL PROTECTED]
  Good news: 'ZMethod' is nice and 'sounds' good, however one says it.
 
 I agree, but then everyone around here thought that Zopelet was fairly 
 unobjectionable, even though  nobody really *liked* it.
 
 
 From: [EMAIL PROTECTED]
  Presumably the focus here is on newbies, not security managers.
  No newbie will ever want to use a Restricted Python ZMethod.
  What newbie wants to be limited/strait-jacketed/'kept from the cool stuff'?
 
  You are propsing a word with negative conotation for something that should
  be prefered!  Yes, it is accurate, but that is beside the point.
 
 The two varieties aren't competing, and we aren't trying to promote one over 
 the other.  If a newbie  is willing to put up with the risks and awkwardness 
 of the current unrestricted design simply  because they sound "cooler", we 
 don't need to stop them.  The documentation will present the  restricted type 
 first and tout their advantages, but explain clearly when and why you would 
 want to  go to the trouble of going unrestricted.

There are several objections to this paragraph.  Of course they are competing,
for mindshare if nothing else.  Newbies don't know risks.  That is much of
what makes them newbies.  And it presupposes that the documentation exists,
is obviously accessible to recent Zope converts, and is actually read before
they 'Add a Method'.  Also, with the 'Wild Snake Thingy edittable from the
Web' paradigm, there is no awkwardness with which the user must put up.

 
  Moreover, this also fails the concise/'easy to say' test that was
  used to kick out several other meritorius naming suggestions.
  Unrestricted Python ZMethod (8 syllables, 26 letters) is a
  mouthful!
 
 True (although some of the alternatives base names were worse).  
 Considering that there aren't (yet)  other language variants, and that 
 I would usually use the restricted kind, I would normally just say
 "ZMethod".  Only if there were some potential confusion would I say 
 "Unrestricted zmethod", or the  full title.
 

If you must do this, at least make it 'Python ZMethod' and
'Python ZMethod - Unrestricted'.  As you have said above, the usual
method will be normally pronounced 'ZMethod', or 'Python ZMethod',
why not drop the silent Restricted?  Also, I consider it important
that the usual method appear first in the 'Add a Method' pulldown,
which the above forces.

 
 Cheers,
 
 Evan @ digicool  4-am
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope-dev] Task, Job or Operation?

2000-10-23 Thread jpenny

On Mon, Oct 23, 2000 at 03:07:25PM -0700, James Johnson wrote:
 Is there a Wiki or some other starting point for this thread. As a 
 newbie I like safe vs power over anything else.  I also understand 
 that with using anything in a power mode can be risky for a newbie.  
 It's nice to know that I can start out learning in a safe mode and 
 then graduate to a power mode after learning more. Is there a 
 ZopeScript and why not? Safe ZopeScript can be written in using other 
 scripting languages.  Zopelet imho is not as marketable as ZopeScript.

OK, this is the problem.  There are several ways of writing executable
code available to other objects in Zope.  One is the Python Method.
It is available from http://www.zope.org/Members/4am/PythonMethod

From 4am's page:
PythonMethods will not allow assignment to an attribute, element, or slice. 
No "del" is allowed.  Names starting with "_" are not accessible. Import 
is controlled. Globals all live in a private namespace.

There is a proposal to call this construct a Zope Script.  And your
message is exactly the ammunition I wanted.  Thanks!

The other way to script in python is currently called an External
Method.  Since perl is being added as a Zope scripting option, this
will clearly have to be renamed, as well.  External Methods have none
of the restrictions of PythonMethods.  This makes it quite easy to escape
all Zope security, to crash Zope, and to do other nasty things.  Needless
to say, Zope hosting sites do not generally provide External Methods.

There is no ZopeScript, and probably never will be.  What would
ZopeScript do?  Would it be a construct like JavaScript that was
executed on the client's computer?  If so, every browser vendor would
have to support it.  This is unlikely, to say the least.

Is it server side?  Then DTML, PythonMethods (to be renamed), PerlMethods
(which don't exist yet), External (Python) Methods, External Perl Methods
(which also don't exist yet) give plenty of scripting options, without the
need for another language.

It is not at all clear that Safe scripting methods (in the strong sense
meant here, meaning that it can neither damage the client nor the 
server), can be written in languages other than Python (I have
heard some doubts expressed about perl).

And, there is generally no need to "graduate" to external (power)
methods.  You only need to use an external method when you need a
module not imported by Zope (not available through the _ namespace).

So, you have written several things in your message that really
bolster my dislike for both zope script and power as terms.
1) You have gone from the word Zope Script to a separate language
ZopeScript in a single bound.  2)  You have assumed that you will
want to "graduate" from Safe Methods to "Power" Methods (You don't,
external methods are last resort options).  3)  "Power" methods
don't require a lot more learning than Safe Methods.  You have
to learn what modules are available, but you are using the same
language in either case!

Maybe my suggeston of flexible is to weak.  Maybe they should be
Escape Hatch Python Operations (Escape Hatch Python Zopelets)!

   When you call it operation, method, or function it takes it away 
  from it's context.  This is zope specific right?  Excuse me while I 
 use safe ZopeScriptPython or power ZopeScriptPerl.

Not really Zope specific in the sense you mean.  It is an object (not
in the OO meaning) that can be called from a Zope site.  But the 
language is pure Python (perl), with no modifications, and usually
can be snipped and executed outside of Zope.

 
 
 Get your Free E-mail at http://tacoma.zzn.com
 
 Get your own Web-Based E-mail Service at http://www.zzn.com
 
 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Python and Perl scripts

2000-10-20 Thread jpenny

On Fri, Oct 20, 2000 at 01:01:59PM +0100, Chris Withers wrote:
 This one is probably the most useful of the lot ;-)
 
 From: Michel Pelletier [EMAIL PROTECTED]
 
 Greetings,
 
 Well, Jim, Evan, Brian and I pow-wowed yesterday and came up with an
 interesting change.  The world 'Method' is too overlaoded, as it means
 too much to too many people.  Also, Python Methods don't work like
 methods in python, which was my argument, but they are very useful and
 there are sound reasons for them working like they do (which J, E and B
 convinced me of yesterdat).  We have decided to change the name of
 Python Methods to something else, the current candidate being 'Python
 Script'.
 
 'Script' objects make a lot of sense, they don't overload the concept of
 methods, they describe an action that people commonly want to do (script
 the web) and they clear up a lot of potential confusion for newbie and
 old-hat alike.
 

Oh, yuck!  Now we have to explain why PythonScript is safe, and JavaScript
sucks rocks (from a security standpoint).  And from common web convention,
it would appear that PythonScript would run on the client side, rather
than the server side.  Since the -let suffix appears to have taken on
a server side connotation, perhaps that can be used.

Python Function is not quite right, as it is fairly common (for me, at
least) to define some helper functions in a Python Method.  But it is
better than Python Script.

So, I guess my preferences would be:

PythonSafeScriptlet
PythonScriptlet
PythonSafeScript
PythonSafeFunction
PythonFunction
PythonBundle
PythonMethod
PythonScript

in descending order of preference.


 
 -Michel
 
 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope-dev] Python and Perl scripts

2000-10-20 Thread jpenny

On Fri, Oct 20, 2000 at 02:18:47PM -0700, Michel Pelletier wrote:
 [EMAIL PROTECTED] wrote:
  
 The proposal is not for PythonScript but a "Python Script".  We are not
 inventing a new language, this is python, we are just coming up with the
 name for an object.  Don't capitalize it and you'll see what I mean.  Go
 write a python script.  I'm gonna write a python script that handles
 this HTML form.  If we do this with a python script instead of a DTML
 method, it will be much clearer.  Wow, this perl script has lots of
 slashes in it.

I understand, but if naming is under consideration, I worry about
inadvertant connotations.  I feel that in the web space, _-script
has come to mean that the language is a client side actor, witness
javascript, ecmascript, vbscript.  

(On the other hand, PythonScript, PerlScript, and ReXXScript appear
be server side stuff in ASP.) 

And I see a difference between PythonScript and Python Script, but
I don't hear it!

 Function is just as technical as method.  These are OO techncial
 programming terms (function less than method).  The idea is to lower the
 bar for people using Zope.  People who only know HTML will be much more
 likely to grok what a script is than a method.  We want to avoid
 elitism.  Method is total OO elitism, function less so because it's very
 language neutral, and script is like plain vanilla ice cream, everyone
 gets it.
 
 Like chocolate and coconut-shaving covered almonds, technical details
 mixed in with your ice-cream will appeal only to a smaller crowd.  It
 will not help define what 'ice cream' is.  It will turn away a group of
 users who may have never know they could mix in sardines and sweet
 tarts.  Technical details before the key idea is explained is
 *dangerous* belive me, and it is the pitfall of all existing Zope
 documentation to date.

Actually, I am not sure that script is much less technical than
function.  I think script, as in bash script, or scripting language
is very crabbed and technical indeed.  The only pre-computer usages
I know of script(n.) are indicative of a cursive style of writing,
apeper money,  or a thing that playwrights produce.  I don't think 
that playwrights are going to suddenly start wanting to use python!  
I think that script, as in "scripting language" is simply something 
that most people indeed do not get!

 
 The new DC documentation motto is "Explain key ideas in simple terms." 
 Method is not a simple term.
 

I don't disagree with your goal.  I do disagree with this particular
choice of words.  

I can see four potential properties that one could want to emphasize
about a python method.

1) It is safer (to the Zope server) than a python external method.
2) It safer to the end user than a JavaScript (it never touches the client).
3) It uses python, and not something else as its implementation technique.
4) In OO terms, it is not really a Method.

Hence the preference for Safe in the name.  Even a newbie ought not to
be able to cut himself too badly on a python method.

There is talk of perl methods.  So we need python in the description.

Now we just need a generic term, which will not cause other confusions
later on down the road for the concept.  I really don't like script,
especially next to a language name (in the web domain).  You don't like
function (which was not my suggestion).  Thingie seems a bit too non-
descriptive.  Widget has technical meaning.  Perhaps task or job are
suitable, as in
Safe Python Task
Safe Python Job
Safe Python Subtask
Safe Python Function
Safe Python Script

Then external methods, which are often also not methods, can become
Flexible Python Task
Flexible Python Job
Flexible Python Subtask
Flexible Python Function
Flexible Python Script

But if you really want to use
Tame Snake Thingy, and
Wild Snake Thingy,
go ahead, but please do not credit me in the documentation!

As another obesrvation, substituting script for method is not really all
that helpful for the other (misnamed) method, DTML Method.
DTML Script is just not all that much clearer!

 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope] Deleting data using ZSQL

2000-09-29 Thread jpenny

On Thu, Sep 28, 2000 at 11:17:03PM -0400, [EMAIL PROTECTED] wrote:
 Hi,
 
 I am writing a dtml method that deletes data from a database, and I found
 myself unable to do this.  It seems that ZSQL is used to insert, update
 and query a database. but can not use
 "delete from table where var=dtml-var foo"
 
 Two things, both previusly said, but both worth expanding on:

1)  What you are doing is not type-safe and not data-safe.  
If var is a string, for example,
that contains "this; delete from table;" You would probably not like
the result.  (Most SQLs would delete everything in the table!).

At least, you have to do
"delete from table where var='dtml-var foo'"`  (if var is string).

This is still not data-safe.   A string like 
"this'; delete from table; update table where var=NAME set var='"
is just as nasty as the previous one, although it is a bit harder
for a drooling idiot to think of.

delete from table where var=dtml-sqlvar foo type=string is perfectly
data-safe.  Dtml-sqlvar does two things for you:  It embeds the item
in the type of quotes appropriate for the TYPE= construct, AND it 
quotes (escapes) any characters passed to it.  This makes sure that
any strings are strings, and cannot contain hidden live commands.

(It would make the second example expand to something like

delete from table where 
var='this\'; delete from table; update table where var=NAME set var=\''

And this is a perfectly legal SQL statement that probably does no
deletion, but does no harm either!

2)  You may be seeing a DB-admin problem, rather than a ZSQL problem,
make sure your Zope DB-user account has delete permission.

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Arbitrary SQL?

2000-09-29 Thread jpenny

On Fri, Sep 29, 2000 at 06:19:35PM +0300, Erno Kuusela wrote:
 Hello,
 
 i'm obviously missing something obvious, but how does one
 execute arbitrary sql statements from an external method?

Look at 
http://www.zope.org/Members/jpenny/Accessing_a_ZSQL_Method_from_an_External_Method

Now think about a SQL method with parameter body and template like:
dtml-var body

You can now do anything by supplying body as an argument.


Note.  This is  really BAD idea.  By doing this, you will construct
a web accessible method which permits anyone with access rights to 
the external method to do anything at all your database.  Not good.

Even though it is irritating from a programmer's point of view, 
it is much better to define a series of restricted ZSQL methods
that do as little as possible.  This permits far more damage control.



 
-- erno
 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] FSF about Zope and GPL'ed components

2000-09-20 Thread jpenny

Let me ask a more precise question.

Zope is not released under GPL.

Joe repleases a component which can be used with Zope under GPL license.
Zope.org makes it available for download, but in no way incorporates
it into their base system.  (I.e., it is available for integration
by an end user).

Joan uses Zope with Joe's component (Product in Zope parlance).
She writes something that depends on Joe's product being present,
but makes no modification to Joe's product.  She does not wish
to GPL her work.

Can she give directions on how to acquire Joe's product and install
it preliminary to installing her own work?

Can she distribute Zope, Joe's product, and her own product, as long
as they are packaged separately?

Can she write an installer that fetches Joe's Product and installs
it before installing her own work?


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope-dev] DISCUSS: XHTML Templates proposal

2000-09-15 Thread jpenny

On Fri, Sep 15, 2000 at 04:55:53PM -0700, Paul Everitt wrote:
 
 [EMAIL PROTECTED] wrote:
  IMHO, view, page, and stylesheet don't make the grade due to
  conflicts/confusion with unrelated technologies (e.g. MVC, "server pages",
  CSS, etc.).
 
 On the other hand, reading the "What is styles?" material at:
 
   http://www.w3.org/Style/
 
 ...makes me think that the goals of the people using these things (site
 designers) are the same as the goals of the audience described for
 stylesheets.  That is, these are things that control the presentation.
 
 --Paul

This might be a great idea, but..., could we have a pledge that
DTML not be killed?  It might prove to be a real inconvenience
(understatement) to those of us who are abusing Zope to do
general web application work (and don't really care about
site design, in the usual sense of the word)!  

DTML might be an ugly, warty, hard to believe it sprang from
Python little beasty, but it is a familiar little beasty.
(And thanks for giving it to us, by the way!)

 
 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )
 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope] Zope and the GPL poison pill

2000-09-13 Thread jpenny

On Wed, Sep 13, 2000 at 11:29:23PM +0200, Nils Kassube wrote:
 I'm only pointing out what I think is a problem with using a
 GPL'ed component in a Zope site. 
 
 My Zope-specific problem is: If I use a GPL'ed component in a complex
 object oriented environment like Zope, does this mean that the whole
 work is now subject to the GPL? 
 
 work = Zope-based web site/web application

No, GPL does not affect non-program parts of the work.  Nor does it
affect work that "uses" GPL code, i.e. that makes function calls or
that makes method calls.

 use = e.g. subclassing it or method calls, etc.

Yes, it would feel to me that subclassing is a derived program. You
are taking a preexisting program and modifying it; your work cannot
stand on its own.  In spirit, this appears to be not very different 
from patching a program (except that the patch is done on-the-fly,
rather than statically). 

And no, using a GPL program does not magically create a derived program.
For example, using gcc as a compiler does not require that any code
thus compiled be GPL.  Similarly, using a method does not require that 
every object/method which calls/invokes to be GPL.

I think you are getting hung up on 
"The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it"

Notice that it talks about the _work_ containing the Program, not
the _system_ containing the program.  The system may contain
GPL and non-GPL code.  Again, installing gcc on a computer
does not automatically force every other piece of software on the
computer to be GPL (containment on a hard disk is not what this is
about!).  A single tar file may contain both GPL and non-GPL
components (containment in a bundle is not what this clause is
about!).  Simile, containment in Zope is not what this clause is
about.

As long as what you write does not modify the GPL'ed program, 
either by removing, adding, or altering the GPL program itself,
the license does not put any restrictions on you.

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] how can I determine the list of user names?

2000-08-24 Thread jpenny

On Thu, Aug 24, 2000 at 10:05:18AM +1000, Curtis Maloney wrote:
 On Thu, 24 Aug 2000, [EMAIL PROTECTED] wrote:
  I would like to construct a pull down of the users defined in
  an acl_users of a particular location.
 
 I am doing this soon, also, so I've put in a little thought on the problem. 
 (But only a little :)
 
  Say in particular, that /protected/acl_users exists.  How do
  I find (in dtml or in python), the list of names defined in that
  particular acl_users.
 
 
 My guess (untested) is :
 
 select name="users"
   dtml-in getUserNames
 option value="dtml-var sequence-item"dtml-var sequence-item
   /dtml-in
 /select

Thanks.  Real close.  Again, assuming /protected/acl_users is the list
of users I am interested in:

dtml-in "protected.acl_users.getUserNames()"
 dtml-var sequence-item
/dtml-in

will grab the user names.  The pull down is basic html.

   
  To slightly generalize, how would one tree-walk to find the list
  of all acl_users above a particular object?

I am not really worried about this.  The above suffices for me (and I
think I could do it from the above anyway).  This part of the question was
asked only for completeness.
 
 Well, as I said, this is untested, but I'm assuming getUserNames does this 
 for you.  The ZQR is somewhat sparse on the details.
 
 
  Thanks
 
 Please, let me know how this goes.
 
  Jim
 
 
 Have a better one,
   Curtis Maloney
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] how can I determine the list of user names?

2000-08-23 Thread jpenny

 I would like to construct a pull down of the users defined in
an acl_users of a particular location.  

Say in particular, that /protected/acl_users exists.  How do
I find (in dtml or in python), the list of names defined in that
particular acl_users.  

To slightly generalize, how would one tree-walk to find the list
of all acl_users above a particular object?

Thanks

Jim

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Requested Zope feature

2000-08-09 Thread jpenny

On Wed, Aug 09, 2000 at 04:48:07PM +0100, Seb Bacon wrote:
 yup, this is how i work too.  
 
 how about adding some javascript to the manage_* methods that reload the
 related window (if it's open) whenever the source changes, too?  a problem
 with this might be ending up with a mass of windows all over your desktop,
 which is invariably horrible.
 
 otoh, there's (almost) no js in the management interface at the moment, and
 i generally think this is a good thing.  i hate js.  i presume this was a
 design decision from the start?  however, if this was to guarantee browser
 interoperability, why are there lots of frames everywhere?  and there is
 some js beginning to creep in now (e.g. help screens).
 
 however, this functionality would not replace any existing interface bits so
 perhaps it's not a bad thing.  and although i hate js it can be a very
 useful piece of evil.  a dynamic tree on the left instead of a yuk frame
 that hardly ever reloads would be a nice thing too.
 
 just thinking aloud.
 
 seb.

Please don't js this thing to pieces.  At least not until there are good
alternative editors/managers available.  I run permanently with js disabled,
and when mozilla is stable enough, will run with js permanently removed.
Requiring js to use zope would be enough to convince me to look elsewhere!

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Changing my session identity

2000-07-20 Thread jpenny

On Thu, Jul 20, 2000 at 11:38:23AM -0400, Chris McDonough wrote:
 No, unfortunately, you need to stop and restart the browser.

Well, netscape 4.73 at least identifies http://server:8080 and
http://server.whatever.com:8080 as separate authentication
domains.  So, you can use one as your administration account and
one as your test account, if you are in the same domainas the server.

 
  -Original Message-
  From: Jim Washington [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, July 20, 2000 10:40 AM
  To: Chris McDonough
  Cc: [EMAIL PROTECTED]
  Subject: Re: [Zope] Changing my session identity
  
  
  How does one become Anonymous User without stopping/restarting the
  browser? Is there a special username/password for that?
  

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] NESTED IN STATEMENTS AND PASSING VARIABLES in DTML

2000-07-20 Thread jpenny

On Thu, Jul 20, 2000 at 12:27:01PM -0500, Theodore Patrick wrote:
 What is the DTML syntax for nested in statements. Here is an example.
 
 
 EXAMPLE 1: NO VARIABLE PASSING
 
 GOAL: loop 4 times and with each loop run the category_method and print out
 the results:
 
 dtml-in "1,2,3,4"
 dtml-in "category_method(id='1')" size=100 start=query_start
 id=dtml-var idseq=dtml-var seqvid=dtml-var vid
 /dtml-in
 /dtml-in
 
 WORKS!
 
 
 EXAMPLE 2: VARIABLE PASSING
 
 GOAL: Loop in the active_category_method and for each row run the
 category_method passing a new 'id' variable and print out the results.
 
 dtml-in "active_category_method()"
 dtml-in "category_method()" size=100 start=query_start
 id=dtml-var idseq=dtml-var seqvid=dtml-var vid
 /dtml-in
 /dtml-in
 
 ERROR -- ID is not being passed to "category_method()"
 
 
 Anyone have a solution out there?
 
 NOTE: active_category_method and category_method are SQL METHODS. Where 'id'
 is and SQL_VAR for category_method.

This is FAQ material and should be inserted into either the DTML programmer's guide
or the ZSQL Methods guide.  It bites everyone who uses SQL methods eventually.

ZSQL methods do not perform acquisition, but will look at REQUEST, change it
to.
dtml-in "active_category_method()"
 dtml-call "REQUEST.set('id', id)"
 dtml-in "category_method()" size=100 start=query_start
 id=dtml-var idseq=dtml-var seqvid=dtml-var vid
 /dtml-in
 /dtml-in

If you have a lot of arguments that need to be captured, you can
build a DTML Method, say setup_category_method_parameters that
has these builds the REQUEST.  Then your dtml can look like:
dtml-in "active_category_method()"
 dtml-call setup_category_method_parameters
 dtml-in "category_method()" size=100 start=query_start
 id=dtml-var idseq=dtml-var seqvid=dtml-var vid
 /dtml-in
 /dtml-in



 
 Thanks in advance!
 
 Theodore E. Patrick
 Ishophere.com
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope-dev] Traceback

2000-07-18 Thread jpenny

How hard would it be to add more of the called URL to the traceback?

Background:
I have been developing relatively baroque SQL sites for internal use 
and find that when I am making changes to facilitate re-use higher up
in the hierarchy, it can be relatively difficult to find out what 
failed.  For example, I get this traceback:

Traceback (innermost last):
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/ZPublisher/Publish.py, line 222, 
in publish_module
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/ZPublisher/Publish.py, line 187, 
in publish
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/Zope/__init__.py, line 221, in 
zpublisher_exception_hook
(Object: ElementWithAttributes)
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/ZPublisher/Publish.py, line 171, 
in publish
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/ZPublisher/mapply.py, line 160, 
in mapply
(Object: index_html)
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/ZPublisher/Publish.py, line 112, 
in call_object
(Object: index_html)
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/OFS/DTMLDocument.py, line 170, in 
__call__
(Object: index_html)
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/DocumentTemplate/DT_String.py, 
line 502, in __call__
(Object: index_html)
  File /home/jpenny/zope/Zope-2.2.0b4-src/lib/python/DocumentTemplate/DT_Util.py, line 
337, in eval
(Object: product_number)
(Info: product_number)
  File string, line 0, in ?
NameError: (see above)

Great, I know that I have not put product_number in as a cookie or a hidden
value, and it could not be found by acquisition.  It failed in rendering
index_html.  But there are 5 index_html's it could have failed in.

How hard would it be to change the error message to say:

Traceback (innermost last):
  Exception raised while constructing 
  http:
 .
.
 .

Jim

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )




Re: [Zope] Help with ZPoPyDA

2000-07-10 Thread jpenny

On Mon, Jul 10, 2000 at 01:42:48PM -0500, Nitesh Dhanjani wrote:
 
 
 
 
 On Mon, 10 Jul 2000, Sebastien Douche wrote:
 
  Le Mon, Jul 10, 2000 at 10:49:27AM -0500, Nitesh Dhanjani à écrit:
  # Im trying to access a postres database from within zope. I have
  # ZPoPyDA-0.5.tar.gz installed along with PoPy-1.2.
  # 
  # The connection string Im using is something like:
  # user=thierry host=myhost dbname=test port=5432 password=mypassword
  
 
 Yes I know its an example, but did not want to post host+user info to the
 entire mailing list. 
 
 I cannot seem to connect to the postgres database using psql, and get:
 Failed to authenticate client as Postgres user 'bob' using unknown
 authentication type: be_recvauth: unrecognized message type: 131072
 
 so its probably not a problem with ZPoPyDA. If anyone has come across this
 error or might know of a solution, please let me know.

Could you please post a bit more information:

platform postgres is running on:

postgres version:

are internet domain sockets enabled on postgres:

was PoPy compiled locally:

are multiple versions of postgres residing on your db host:

Jim
 
 Thanks
 nitesh.
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] Help with ZPoPyDA

2000-07-10 Thread jpenny

On Mon, Jul 10, 2000 at 05:39:27PM -0500, Nitesh Dhanjani wrote:
 
 
 On Mon, 10 Jul 2000 [EMAIL PROTECTED] wrote:
 
  On Mon, Jul 10, 2000 at 01:42:48PM -0500, Nitesh Dhanjani wrote:
   
   
   
   
   On Mon, 10 Jul 2000, Sebastien Douche wrote:
   
Le Mon, Jul 10, 2000 at 10:49:27AM -0500, Nitesh Dhanjani à écrit:
# Im trying to access a postres database from within zope. I have
# ZPoPyDA-0.5.tar.gz installed along with PoPy-1.2.
# 
# The connection string Im using is something like:
# user=thierry host=myhost dbname=test port=5432 password=mypassword

   
   Yes I know its an example, but did not want to post host+user info to the
   entire mailing list. 
   
   I cannot seem to connect to the postgres database using psql, and get:
   Failed to authenticate client as Postgres user 'bob' using unknown
   authentication type: be_recvauth: unrecognized message type: 131072
   
   so its probably not a problem with ZPoPyDA. If anyone has come across this
   error or might know of a solution, please let me know.
  
  Could you please post a bit more information:
  
  platform postgres is running on:
 SunOS 5.6 Generic_105181-19 sun4m sparc SUNW,SPARCstation-20
 
 Client (zope and psql) running on Linux 2.2.16 i686
 
  postgres version:
 The person who installed postgres on the sparc machine isnt around
 anymore, im still trying to figure this out. The postmaster or postres
 executable do not have a "-v" or "-V" option that spits out the version.
 
 The client side psql is 6.5.3

Can psql on the linux connect to the postmaster on the sparc?
(If I am right about the postmaster supporting only unix domain sockets,
it should not.)

 
  
  are internet domain sockets enabled on postgres:
 I usually startup postgres like this "postmaster ", and was told to
 start it up with the -i switch. However postmaster doesnt seem to accept
 that switch:
 % postmaster -h
 usage: postmaster [options..]
 -a authsys  do/do not permit use of an authentication system
 -B nbufsset number of shared buffers
 -b backend  use a specific backend server executable
 -d [1|2|3]  set debugging level
 -D datadir  set data directory
 -m  start up multiplexing backends
 -n  don't reinitialize shared memory after abnormal exit
 -o option   pass 'option' to each backend servers
 -p port specify port for postmaster to listen on
 -S  silent mode (disassociate from tty)
 -s  send SIGSTOP to all backend servers if one dies

OK, you are dead in the water at this point...you can use only Unix domain
sockets and PoPy needs internet domain sockets.  (Unix domain sockets can
only talk when both client and server are on the same machine.)

 
 
  
  was PoPy compiled locally:
 yes, but this shouldnt matter, all im trying to do now is connect to a
 postgres database using psql.

It does matter for this reason:  libpq changed between the
6.3 series and the 6.5 series.  A client compiled against a
newer libpq cannot connect to a postmaster compiled against
the older libpq.  I know that the version distributed by mixadlive.com
was compiled with the new libpq.  

 
  
  are multiple versions of postgres residing on your db host:
 nope
 

My best guess:  you need to build new postgres on both machines.  For
locking performance, you certainly want a more recent version of postgres,
anyway!  The version you have almost certainly does table level locking.
You are going to have to rebuild the sparc's copy.  And dump and restore
may get to be 'interesting'.

 thanks!
 nitesh
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] How do I merge form URL vars into sql easily

2000-07-05 Thread jpenny

On Wed, Jul 05, 2000 at 01:31:56PM -0800, [EMAIL PROTECTED] wrote:
 I am a new user to Zope and I'm trying to pass data that has been 
 entered into a form (either through GET or POST) into another 
 object.  This object calls a z sql method to insert the form data into 
 the database.  So far, the only way I've found to pass data to the 
 sql is to define arguments for it and then, in the dtml-document (or 
 method) use:
 dtml-call "REQUEST.set['argument','value']"

This is not a cure, but goes a long ways.  If you have ZSql Method
foo, define a dtml-method curryFoo, (or prepareforFoo, or whatever
you like), that has the dtml-call "REQUEST.set('argument', value)"
statements in it (and nothing else.)

Then your index_html can look like:

...
dtml-call curryFoo
dtml-call foo
...

This is a reasonable compromise between readability and the
necessity to get the arguments into the current REQUEST.

 (and it took me long enough to figure THAT out, let me tell you)
 The problem is that sucks when there are 30 form varibles that 
 need to be inserted into the database.
   I would think that there is some way to let the sql method see 
 these varibles that are defined within my document.  Or loop 
 through all URL or form varibles defined and sets all the vars in 
 request. Something to keep from having to write the above dtml 30 
 times.  Thanks.
 
 Jake Feasel
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] embed an SQL method inside a dtml-in tag

2000-06-27 Thread jpenny

On Tue, Jun 27, 2000 at 12:05:56PM +1000, Andrew Kenneth Milton wrote:
 +[ Dieter Maurer ]-
 | Andrew Kenneth Milton writes:
 |   
 |   So...
 |   dtml-in "bcd_statement(a=a, b=b, c=c)"
 | Alternatively, you could place the values from "abc_sql_statement"
 | into the "REQUEST" object:
 | 
 | dtml-call "REQUEST.set(a=a)"
 | 
 
 Except you get one line per variable you want to set... It's ok if you've
 only got one variable and you want to use it outside the loop, setting
 four or five would get messy I think.

Actually this is not so bad.

Set up a DTML-method that has all of these calls in it.  I like to call 
mine currySomethingArgs

For example, if you have a SQL method Foo requiring args a,b,c,d,e,f,g
then curryFooArgs would have body
dtml-call "REQUEST.set(a=a)"
 .
 .
 .
dtml-call "REQUEST.set(f=f)"

and your calling sequence to Foo looks like

dtml-call curryFooArgs
dtml-call Foo

This also makes the nested SQL call problem easier to read.

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




Re: [Zope] sql-statements in DTML-Methods....

2000-06-19 Thread jpenny

On Mon, Jun 19, 2000 at 08:50:14AM -0500, Jim Sanford wrote:
 For the most part all a ZSQL method does is used some specialized DTML
 syntax to contruct a string that is your SQL query. You can create a ZQL
 method, say "GenericSQL", that has 1 parameter, let's call it
 "SQLStatement", whose sole DTML statement is "dtml-var SQLStatement".
 
 To use it you would do this:
 
 dtml-in "GeneicSQL(SQLStatement='select * from the_table where the_var =
 \'var_value\'')
 ...
 /dtml-in
 
 You can replace the literal string with a string variable like from a filed
 on a form where you entered you SQL statement.
 
 I use this method extensively.
 
 Jim Sanford

I have also used Jim S.'s method.  But, there is a danger here.  Using ZSQL
methods, you can pretty much insure that users cannot fill in a form such
such that when zope triggers the execution the sql server is crashed or
an inappropriate command is executed.  ZSQL methods will handle quoting
for you, the literal string method will not.  So, in the literal string
method, you may have to worry about input like:
hello';delete from the_table;'select * from that_table
which should run and probably does not have the intended effect.

Further, if your database backend has memory leaks when unexecutable
SQL requests are submitted (some postgresql version have had), you have
opened up a dandy denial of service.  

It is better to use normal ZSQL Methods, unless you are forced not to
(arguments that depend on the data in the form, for example).
And then you need to be very careful with data validation.

Also, note that there are not normally all that many calls to the
database.  You can usually get by with a insert into, a delete from,
a select *, and a few updates per database.  And, they can be shared
by sub-folders.  

Jim Penny 

 
 
 - Original Message -
 From: "Marc LUDWIG" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Sent: Sunday, June 18, 2000 3:08 PM
 Subject: [Zope] sql-statements in DTML-Methods
 
 
 Hi.
 
 This is one of the first times I'm working with Zope and databases.
 
 Until now - if I wanted to work with a databse, i always created a Z SQL
 method that I called from my DTML-method via
 
 dtml-call "add_item(param1 = ..., param2 = ..., param3 = ...,
 ..."(for example)
 or dtml-in get_items ... /dtml-in  (for example)
 
 In the Z SQL method 'add_item' or 'get_items', my SQL statement are defined.
 
 My question is now:
 
 Do I have to define one Z SQL Method for every SQL statement I want to
 perform on my database or is it possible to define SQL-statements and
 database requests in my DTML-method?
 
 Am I missing something? Any idea? Thanks a lot.
 
 Regards, Marc
 mailto:[EMAIL PROTECTED]
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 
 
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] neted dtml-in and ZSQL methods

2000-06-15 Thread jpenny

Suppose, you have a database, items,  that has fields product and scheme.

You are processing a form that has field old_product and new_product.

You have a ZSQL method, get_scheme, with parameter old_product and body
select * from items where product = dtml-sqlvar old_product type=string.

You also have a ZSQL method, new_scheme, with parameter new_product and
scheme.

Observation:

dtml-in get_scheme
 dtml-call new_scheme
/dtml-in

fails, with message

  Zope Error

  Zope has encountered an error while publishing this resource. 

  Error Type: NameError
  Error Value: scheme



  Troubleshooting Suggestions

   This resource may be trying to reference a nonexistent object or 
variable scheme. 
   The URL may be incorrect. 
   The parameters passed to this resource may be incorrect. 
   A resource that this resource relies on may be encountering an error. 

  For more detailed information about the error, please refer to the HTML 
source for this page. 

  If the error persists please contact the site maintainer. Thank you for your 
patience. 

even though

dtml-in get_scheme
 dtml-var "scheme"
/dtml-in

prints the expected value.

Why?

Jim Penny

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )