Re: Using s in ZSQL methods?

AM 18.06.2007, 16:03 UHR, SCHRIEB <JPENNYYKKSNAP-AMERICA.COM>:

> THERE ARE NO PROS AND CONS.  ONLY CONS.

THIS IS GENERALLY RIGHT, UNLESS YOU USE .EXECUTE(STATEMENT,
(PARAS,)) ON  
THE DA LIKE YOU CAN WITH THE MXODBC ZOPE DA. ALTHOUGH
ADMITTELY THIS IS  
CURRENTLY ONLY AVAILABLE FOR EXTERNALMETHODS. ADDING
SUPPORTING FOR  
.EXECUTE() IN A DA IS NOT HARD. HOWEVER, THIS SHOULD ONLY BE
USED  
OCCASIONALLY IF IT IS IMPORTANT TO GENERATE YOUR SQL AND
USING SOMETHING  
LIKE SQLALCHEMY ISN'T APPROPRIATE.

> THERE IS A GOOD ARGUMENT TO BE MADE THAT ZSQL METHODS
ARE ENTIRELY
> A BAD IDEA -- THAT ONLY PREPARED STATEMENTS SHOULD BE
SUPPORTED, AS IT
> IS FAR HARDER TO BREAK SECURITY.

I DON'T THINK THEY ARE A BAD IDEA IN FACT I FIND THEM VERY
HELPFUL BUT  
THEY COULD BE UPDATED TO USE PREPARED STATEMENTS WITH BOUND
PARAMETERS  
WHICH REQUIRE THE DRIVER TO QUOTE PARAMETERS. I'VE STARTED
WORK ON A  
SIMPLESQLTEMPLATE WHICH USES STRING.TEMPLATE TO SUPPORT
$PLACEHOLDERS

"SELECT ID FROM TABLE WHERE ID = $VALUE"
->
"SELECT ID FROM TABLE WHERE ID = ?", (VALUE,) #
GENERATE THE SQL USING THE  
APPROPRIATE PARAMSTYLE FOR THE UNDERLYING DB DRIVER.

CHARLIE
-- 
CHARLIE CLARK
EGENIX.COM

PROFESSIONAL PYTHON SERVICES DIRECTLY FROM THE SOURCE
>>> PYTHON/ZOPE CONSULTING AND SUPPORT ...       
HTTP://WWW.EGENIX.COM/
>>> MXODBC.ZOPE.DATABASE.ADAPTER ...            
HTTP://ZOPE.EGENIX.COM/
>>> MXODBC, MXDATETIME, MXTEXTTOOLS ...       
HTTP://PYTHON.EGENIX.COM/
____________________________________________________________
____________

:::: TRY MXODBC.ZOPE.DA FOR WINDOWS,LINUX,SOLARIS,MACOSX FOR
FREE ! ::::

     EGENIX.COM SOFTWARE, SKILLS AND SERVICES GMBH 
PASTOR-LOEH-STR.48
     D-40764 LANGENFELD, GERMANY. CEO DIPL.-MATH. MARC-ANDRE
LEMBURG
            REGISTERED AT AMTSGERICHT DUESSELDORF: HRB
46611
_______________________________________________
ZOPE-DB MAILING LIST
ZOPE-DBZOPE.ORG
HTTP://MAIL.ZOPE.ORG/MAILMAN/LISTINFO/ZOPE-DB