Re: [Pythoncard-users] Re: creating SQL insert/Update stmts

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,
I want to generate the insert code from both the form and the columns.  The hard part seems to be the form fields.  Should I specify them in a list self.fields=['SSNUM','FirstName',...] and then simply use self.fields[index[... in my code?

--- "Mike C. Fletcher" <mcf...@ro...> wrote:
Kevin Altis wrote (quoting ralph heimburger):
...

>>insstmt="INSERT INTO MEMBER ("
>>            for colname in self.rowsDict: insstmt=insstmt+colname+","
>>            insstmt=insstmt[1:len(insstmt)-1]+") VALUES ("
>>            ##for textvalue in self.components:
>>            insstmt=insstmt+"'"+self.components.SSN.text+"',"
>>            insstmt=insstmt+"'"+self.components.FirstName.text+"',"
>>            ... (60+fields)
>>    
>>
Eeps, don't do this (just dump the text in with ' and ')!  Not only do 
you open yourself to all sorts of security problems, you're not getting 
any escaping of characters in the text, so it will fail if you have 
someone enter ain't can't or don't (which is also where the security 
problems start).  If you need something which generates SQL 
insert/update/refresh/delete code from a schema PyTable has code you can 
likely crib fairly easily:

http://cvs.sourceforge.net/viewcvs.py/pytable/table/pytable/dbrow.py?only_with_tag=HEAD&view=markup

The RowAction and it's various sub-classes being the ones in which 
you're likely to be interested.  Not sure how much of a schema you've 
got in "components", but the code there doesn't really do all *that* 
much with the schema other than figuring out the unique keys to use to 
specify the row.

At a minimum, use the database driver's escaping by passing in the query 
string with %(name)s or %s placeholders for each field and then pass the 
values in as extra arguments to execute.  (The SQLQuery class on which 
the RowAction is based actually does two-level escaping, in case you're 
wondering how the query is being composed in the dbrow module above, so 
the first substitution changes the query string and the second is done 
by the driver to get data-type escaping).

I know, I know, not quite on topic, but it just made me go "ouch" when I 
saw it...
Mike

_______________________________________
  Mike C. Fletcher
  Designer, VR Plumber, Coder
  http://members.rogers.com/mcfletch/

-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Pythoncard-users mailing list
Pyt...@li...
https://lists.sourceforge.net/lists/listinfo/pythoncard-users

_____________________________________________________________

=======================================
    www.StrictlyEmail.com ...our name says it all!