Jim Steil schrieb:
Hi:I�m trying to pass a parameter to my SQLObject object to subset the select list. I�m getting the following error:TypeError: decoding Unicode is not supportedHere is my controller code. It works fine unless something is passed in the searchText argument. Do I need to do something to the string that passed in before I give it to SQLObject?/@tg.expose/(template=/'motion.templates.administration.plants'/) def *plants*(/self/, *args, **kw): import time try: searchText = kw[/'searchText'/] except KeyError: searchText = /''/ if searchText:plants = Plant.select(/'name = \'%s\''/ % (searchText), orderBy=/'plantNumber'/)else: plants = Plant.select(orderBy=/'plantNumber'/) tmplDict = {/'plants'/:plants, /'searchText'/:searchText}return dict(now=time.ctime(), menuLinks=/self/.menuLinks, tmplDict=tmplDict, plantListWidget=plantListWidget)This works Ok in the tg-admin shell, but I�m guessing that something is happening to the string that is passed into the function that is causing this.
Several remarks here:Python has several ways of declaring literal strings. Single, double and trippled quotes. So there is no need to escape quotes like this:
'\'' Just use double quotes.Then building queries the way you do makes you vulnerable for SQL injection attacks. Don't do it. Do it - if it is plain DB-API - with parameters, like this:
cursor.select("select foo from bar where baz = ?", someValueForBaz)
However, as we deal with SO here, don't go with sql, go with the query
builder, like this:
Plant.select(Plant.q.name == searchText) Diez --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
