Am 18.06.2007, 22:10 Uhr, schrieb Ken Winter <[EMAIL PROTECTED]>:

Thanks Charlie & Jim ~
SQL injection is a new one on me, and I'm glad to learn about it now
(painlessly) rather than later (painfully).

Preventing SQL injection for non-savvy users (and letting them learn about it later when they might understand it better) is probably the single greatest reason for using ZSQL and Zope to integrate external RDBMS's. It's worth remembering that it was developed before bound parameters were generally supported and has unfortunately been somewhat neglected since. If you're going to want to manage and reuse your SQL calls then I would highly recommend you stick with ZSQL and <dtml-sqlvar ...> until you are more comfortable with Zope in general: it's easy to rack up twenty or thiry *completely* different SQL statements in a site and not need to look at them again for a couple of years. Then, when you have to, it's incredibly wonderful being able to review and test them individually.

Charlie Clark

Professional Python Services directly from the Source
Python/Zope Consulting and Support ...
mxODBC.Zope.Database.Adapter ...   
mxODBC, mxDateTime, mxTextTools ...

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! :::: Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
Zope-DB mailing list

Reply via email to