Am 18.06.2007, 16:03 Uhr, schrieb <[EMAIL PROTECTED]>:

There are no pros and cons.  Only cons.

This is generally right, unless you use .execute(statement, (paras,)) on the DA like you can with the mxODBC Zope DA. Although admittely this is currently only available for ExternalMethods. Adding supporting for .execute() in a DA is not hard. However, this should only be used occasionally if it is important to generate your SQL and using something like SQLalchemy isn't appropriate.

There is a good argument to be made that ZSQL methods are entirely
a bad idea -- that only prepared statements should be supported, as it
is far harder to break security.

I don't think they are a bad idea in fact I find them very helpful but they could be updated to use prepared statements with bound parameters which require the driver to quote parameters. I've started work on a simpleSQLTemplate which uses string.Template to support $placeholders

"SELECT id FROM table WHERE id = $value"
->
"SELECT id FROM table WHERE id = ?", (value,) # generate the SQL using the appropriate paramstyle for the underlying DB driver.

Charlie
--
Charlie Clark
eGenix.com

Professional Python Services directly from the Source
Python/Zope Consulting and Support ...        http://www.egenix.com/
mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::

    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
_______________________________________________
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db

Reply via email to