>
> db.define_table('products',
> Field('product_name'),
> Field('current_price', 'float'),
> Field('image', 'upload'),
> Field('description', type='text'),
> Field('product_availability', requires = IS_IN_SET(['Available','Not
> Available'])),
> auth.signature,
> )
>
> db.define_table('orders',
> Field('productId', db.product),
>
Is this your real code? If so, the above line would be throwing an
exception, as the table name is db.products, not db.product.
> def proc():
> prodDict = {}
> productrows = db(db.products).select()
> for x in productrows:
> prodDict[x.id] = x.product_name
> order_date = str(request.now.year) + "-" + str(request.now.month) +
> "-" + str(request.now.day)
> qty = request.vars.qty
> productId = request.vars.productId
> userId = session.auth.user.id
> sql = "INSERT INTO orders (productId, userId, qty, order_date) values
> (str(productId), str(userId), str(qty), str(order_date))"
>
Above, you cannot mix Python into your SQL code. Also, by generating SQL
with user-submitted values, you are opening yourself to SQL injection
attacks. Why are you manually generating raw SQL rather than using the DAL
to do the insert?
Before proceeding, I strongly suggest reading the web2py documentation.
Anthony
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
