Am 18.02.2009, 00:58 Uhr, schrieb <>:

> Using external methods will be more work for the zope writer.
> I don't know enough to comment seriously on security issues,
> but I think that using procedures, like using bind variables, will
> make  SQL Injection much harder.

The mxODBC Zope DA makes the execute() method available to connection object 
instances which allows for parameter binding and the next release will make 
this available for PythonScripts. Rather than use ExternalMethods, however, I'd 
suggest that you use Views instead which make tying everything together a lot 

Regarding performance: the comparisons we did a few years ago suggested that 
parameter binding is around 40% faster for non-cached access from Zope as Zope 
does quite a lot of work to turn ZSQL methods into usable queries. If the 
caching works for you then you will have pretty good performance because Zope 
will only actually run the query for something that isn't in the cache. Stored 
procedures can offer a performance improvement if you plan to manipulate the 
data in any way, ie. if you want to get data out of several views and do 
something with it before you pass it to the browser. But most importantly - in 
the Zope world the RDBMS is unlikely ever to be your bottleneck.

Charlie Clark

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...
>>> mxODBC.Zope.Database.Adapter ...   
>>> mxODBC, mxDateTime, mxTextTools ...

::: Try our new mxODBC.Connect Python Database Interface for free ! :::: Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611

Zope-DB mailing list

Reply via email to