Re: [SQLObject] Generic "find" & findOne method

[Oleg B. <ph...@ma...>]

On Tue, Dec 21, 2004 at 06:12:39PM -0200, Carlos Ribeiro wrote:
> Let's assume that you have the result of a web form. You can simply
> feed the form data to findOne as an argument. One possible example
> (using a slightly different and improved syntax):
> 
> person.findOne(**form.getData())

   Are you passing form data to SQL without validation?! Wow!! Isn't
there a security risk?

   Well, I am against such addition to the SQLObject. It is too
specific. You can easily do it in your own project by creating a parent
class like this:

class Finding(SQLObject):
   def findOne(self, dict):
      ...

and use it as the base for all your tables:

class Person(Finding):
   ...

Oleg.
-- 
     Oleg Broytmann            http://phd.pp.ru/            ph...@ph...
           Programmers don't die, they just GOSUB without RETURN.