No, ZSQL really predates bind variables. That is, they we
available on a few systems, but were rare. If the Oracle
specialist has a reason for going to external methods, like
his server is seriously loaded, I would pay attention to him.
If he is just following some set of "best practices", well, that
is a political problem for Remy.
Using external methods will be more work for the zope writer.
I don't know enough to comment seriously on security issues,
but I think that using procedures, like using bind variables, will
make SQL Injection much harder.
Cynthia Kiser <cnk+z...@caltech.edu>
02/17/2009 06:44 PM
Remy Pinsonnault <remypinsonna...@gmail.com>, firstname.lastname@example.org
Re: [Zope-DB] [Zope] Stored Procedures Versus ZSQL Methods
Quoting jpe...@ykksnap-america.com <jpe...@ykksnap-america.com>:
> Yes, with a stored procedure the DB does not have to reparse and
> prepare a new plan for every query. This can be a major win. Esp.
> on Oracle.
Does ZSQL allow the use of bind variables? If so and the database has
a correctly sized query cache, there shouldn't be much reparsing for
Zope-DB mailing list