> I tried to invoke the "query" method of my adapter (which is named
> "dhatabase") with this code:
> "
> p = context.REQUEST.get('delete_this')
> if p:
>     s = ', '.join([str(x) for x in p])
>     t = "delete from person where person_id in (%s);" % s
>     context.dhatabase.query(query_string=t)
> "
> ...and got this error: "AttributeError: query" (full traceback at end of
> message).  What's wrong with my method call?


Assuming that 'dhatabase' is your DatabaseConnection object.

> I also have a broader question:  When one is composing dynamic SQL in Python
> scripts, what are the pros and cons of executing them by going directly to
> the database adapter (as suggested above) vs passing it in as the sole
> argument of an "empty" ZSQL method?  By "empty" ZQL method I mean something
> like:
I think in this case there is no difference. Both ways may be harmful
unless you're sure that it is not possible to do sql injection.

Maciej Wisniowski
Zope-DB mailing list

Reply via email to