Re: [Zope] sql-statements in DTML-Methods....
The only users who have access to this method from a HTML form are myself and the other system software engineer. I primarily use it for hard coding simple queries in short DTML documents. - Original Message - From: <[EMAIL PROTECTED]> To: Jim Sanford <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 19, 2000 10:06 AM Subject: Re: [Zope] sql-statements in DTML-Methods On Mon, Jun 19, 2000 at 08:50:14AM -0500, Jim Sanford wrote: > For the most part all a ZSQL method does is used some specialized DTML > syntax to contruct a string that is your SQL query. You can create a ZQL > method, say "GenericSQL", that has 1 parameter, let's call it > "SQLStatement", whose sole DTML statement is "". > > To use it you would do this: > > > ... > > > You can replace the literal string with a string variable like from a filed > on a form where you entered you SQL statement. > > I use this method extensively. > > Jim Sanford I have also used Jim S.'s method. But, there is a danger here. Using ZSQL methods, you can pretty much insure that users cannot fill in a form such such that when zope triggers the execution the sql server is crashed or an inappropriate command is executed. ZSQL methods will handle quoting for you, the literal string method will not. So, in the literal string method, you may have to worry about input like: hello';delete from the_table;'select * from that_table which should run and probably does not have the intended effect. Further, if your database backend has memory leaks when unexecutable SQL requests are submitted (some postgresql version have had), you have opened up a dandy denial of service. It is better to use normal ZSQL Methods, unless you are forced not to (arguments that depend on the data in the form, for example). And then you need to be very careful with data validation. Also, note that there are not normally all that many calls to the database. You can usually get by with a insert into, a delete from, a select *, and a few updates per database. And, they can be shared by sub-folders. Jim Penny > > > - Original Message - > From: "Marc LUDWIG" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Sunday, June 18, 2000 3:08 PM > Subject: [Zope] sql-statements in DTML-Methods > > > Hi. > > This is one of the first times I'm working with Zope and databases. > > Until now - if I wanted to work with a databse, i always created a Z SQL > method that I called from my DTML-method via > > ...">(for example) > or ... (for example) > > In the Z SQL method 'add_item' or 'get_items', my SQL statement are defined. > > My question is now: > > Do I have to define one Z SQL Method for every SQL statement I want to > perform on my database or is it possible to define SQL-statements and > database requests in my DTML-method? > > Am I missing something? Any idea? Thanks a lot. > > Regards, Marc > mailto:[EMAIL PROTECTED] > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > > > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] sql-statements in DTML-Methods....
On Mon, Jun 19, 2000 at 08:50:14AM -0500, Jim Sanford wrote: > For the most part all a ZSQL method does is used some specialized DTML > syntax to contruct a string that is your SQL query. You can create a ZQL > method, say "GenericSQL", that has 1 parameter, let's call it > "SQLStatement", whose sole DTML statement is "". > > To use it you would do this: > > > ... > > > You can replace the literal string with a string variable like from a filed > on a form where you entered you SQL statement. > > I use this method extensively. > > Jim Sanford I have also used Jim S.'s method. But, there is a danger here. Using ZSQL methods, you can pretty much insure that users cannot fill in a form such such that when zope triggers the execution the sql server is crashed or an inappropriate command is executed. ZSQL methods will handle quoting for you, the literal string method will not. So, in the literal string method, you may have to worry about input like: hello';delete from the_table;'select * from that_table which should run and probably does not have the intended effect. Further, if your database backend has memory leaks when unexecutable SQL requests are submitted (some postgresql version have had), you have opened up a dandy denial of service. It is better to use normal ZSQL Methods, unless you are forced not to (arguments that depend on the data in the form, for example). And then you need to be very careful with data validation. Also, note that there are not normally all that many calls to the database. You can usually get by with a insert into, a delete from, a select *, and a few updates per database. And, they can be shared by sub-folders. Jim Penny > > > - Original Message - > From: "Marc LUDWIG" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Sunday, June 18, 2000 3:08 PM > Subject: [Zope] sql-statements in DTML-Methods > > > Hi. > > This is one of the first times I'm working with Zope and databases. > > Until now - if I wanted to work with a databse, i always created a Z SQL > method that I called from my DTML-method via > > ...">(for example) > or ... (for example) > > In the Z SQL method 'add_item' or 'get_items', my SQL statement are defined. > > My question is now: > > Do I have to define one Z SQL Method for every SQL statement I want to > perform on my database or is it possible to define SQL-statements and > database requests in my DTML-method? > > Am I missing something? Any idea? Thanks a lot. > > Regards, Marc > mailto:[EMAIL PROTECTED] > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > > > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] sql-statements in DTML-Methods....
For the most part all a ZSQL method does is used some specialized DTML syntax to contruct a string that is your SQL query. You can create a ZQL method, say "GenericSQL", that has 1 parameter, let's call it "SQLStatement", whose sole DTML statement is "". To use it you would do this: ... You can replace the literal string with a string variable like from a filed on a form where you entered you SQL statement. I use this method extensively. Jim Sanford - Original Message - From: "Marc LUDWIG" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 18, 2000 3:08 PM Subject: [Zope] sql-statements in DTML-Methods Hi. This is one of the first times I'm working with Zope and databases. Until now - if I wanted to work with a databse, i always created a Z SQL method that I called from my DTML-method via (for example) or ... (for example) In the Z SQL method 'add_item' or 'get_items', my SQL statement are defined. My question is now: Do I have to define one Z SQL Method for every SQL statement I want to perform on my database or is it possible to define SQL-statements and database requests in my DTML-method? Am I missing something? Any idea? Thanks a lot. Regards, Marc mailto:[EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] sql-statements in DTML-Methods....
Hi. This is one of the first times I'm working with Zope and databases. Until now - if I wanted to work with a databse, i always created a Z SQL method that I called from my DTML-method via (for example) or ... (for example) In the Z SQL method 'add_item' or 'get_items', my SQL statement are defined. My question is now: Do I have to define one Z SQL Method for every SQL statement I want to perform on my database or is it possible to define SQL-statements and database requests in my DTML-method? Am I missing something? Any idea? Thanks a lot. Regards, Marc mailto:[EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
