I agree. However, this is true of all DTML. I mean, its just as true in DTML methods that might REQUEST.set the args to the ZSQLMethod. ie. they could be tricked into REQUEST.set(ing) a false total etc. because they lookup all of their variables in the namespace.
Cheers, Tim Paul Zwarts wrote: > > Hi Tim, > > Just to play devil's advocate; It seems this way, that methods pulling > non-specifically from namespace could allow ways to modify the result if > someone paid close attention to whats going on... i.e The total price of > your shopping cart before its sent to the transaction broker. It > requires the programmer to keep even more close care that all variables > generated at runtime are first cleaned and wiped so that this same > REQUEST couldn't just be anticipated by someone who's interested. > > Or can you suggest a way around this? > > Thanks, > Paul Zwarts > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Tim McLaughlin > Sent: Thursday, October 11, 2001 1:30 PM > To: [EMAIL PROTECTED] > Cc: Micah Martin > Subject: [Zope-dev] ZSQL methods lookup vars in REQUEST only (why?) > > I've been asked too many times now by developers what is wrong when they > call ZSQL Methods without passing parameters because their parameters > are in the namespace. This seems to make sense to all new Zopers (and > some older ones like myself) because all other DTML lookups are in the > entire namespace. > > Anyway, I propose that ZSQLMethods change and do variable lookups in the > entire namespace, not just the REQUEST object. It seems to be a simple > enough change (at least it looks it) and I can submit the patches, but > the harder thing is to get people to agree that it is a change for the > better. > > The only argument that I have heard against it is that variables will be > found mysteriously through the stack and that this is harder to > understand. However, that just makes it inconsistent with all other > DTML and therefore mysterious in its own way. > > Consistency is much better for learning and for remembering, and DTML in > ZSQL should work the same as DTML in DTML Methods, etc. Please consider > this and abuse me as appropriate ;) > > Regards, > Tim > -- > Tim McLaughlin > iterationZERO - www.iterationzero.com > 703.481.2233 > > _______________________________________________ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) -- Tim McLaughlin iterationZERO - www.iterationzero.com 703.481.2233 _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
