No, ZSQL really predates bind variables.  That is, they we
available on a few systems, but were rare.  If the Oracle 
specialist has a reason for going to external methods, like
his server is seriously loaded, I would pay attention to him.
If he is just following some set of "best practices", well, that
is a political problem for Remy.

Using external methods will be more work for the zope writer. 
I don't know enough to comment seriously on security issues, 
but I think that using procedures, like using bind variables, will 
make  SQL Injection much harder.





Cynthia Kiser <cnk+z...@caltech.edu> 
02/17/2009 06:44 PM

To
jpe...@ykksnap-america.com
cc
Remy Pinsonnault <remypinsonna...@gmail.com>, zope-db@zope.org
Subject
Re: [Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods






Quoting jpe...@ykksnap-america.com <jpe...@ykksnap-america.com>:
> Yes, with a stored procedure the DB does not have to reparse and
> prepare a new plan for every query.  This can be a major win.  Esp. 
> on Oracle.

Does ZSQL allow the use of bind variables? If so and the database has
a correctly sized query cache, there shouldn't be much reparsing for
repeated queries. 


_______________________________________________
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db

Reply via email to