On Wednesday 05 September 2007 05:00:43 badfrog wrote: > Day 2 with tg, and I'm still playing around with the framework. I'm > trying to implement a generic search for a model based on SQLObject, > that would work like this: > > foo/Search?searchBy=name&search=something > > so that the controller's Search method would look like this: > > def Search(self, searchBy, search): > result = foo.selectBy(searchBy=search) > > Obviously, this doesn't work as written, apparently because searchBy > is a string, and selectBy expects *some other type*. > > This works, though: > > def Search(self,searchBy,search): > where = "%s='%s'" % (searchBy, search) > result = foo.select(where) > > But makes me scream "SQL INJECTION!!!! RUN AWAY!!!" > > So... what's the "correct" approach here? Thanks!
getattr. foo.select(getattr(foo.q, searchBy) == search) Of course if foo.q.searchBy is something expecting something other than a string, you need to convert search first. There should be meta-info available to you, if you want to automate that. But to be brutally honest: IMHO your whole approach is flawed. Because there is no such thing as a generic search. Making complex queries is always difficult to get right, especially when several clauses are involved etc. So I'd say - except from getting to know the tools of course - it's dead-end road you're walking there. -- >> Diez B. Roggisch >> Developer A Milastraße 4 / D-10437 Berlin T +49 (30) 443 50 99 - 27 F +49 (30) 443 50 99 - 99 M +49 (179) 11 75 303 E [EMAIL PROTECTED] ____________________________________________________________________ Geschaeftsfuehrer: Ekkehard Blome (CEO), Felix Kuschnick (CCO) Registergericht: Amtsgericht Berlin Charlottenburg HRB 76376 UST-Id. DE 217652550 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
