[PEAK] Re: PEAK lesson 4

Phillip J. Eby pje at telecommunity.com
Wed Jan 16 20:28:25 EST 2008 

At 10:01 PM 1/16/2008 +0100, Henning von Bargen wrote:
>Hello Phillip,
>on pythondev I stumbled across 
>http://peak.telecommunity.com/DevCenter/VisitorRevisited
>and from there I came to PEAK.
>The idea of PEAK seems quite promising.
>
>Just a few thoughts:
>
>As an experienced Oracle developer, I noticed the lack of using bind 
>variables in the tutorial,
>i.e. in the example snippet
>def _load(self, oid, ob):
>    row = ~self.customerdb("select GRP from customers where NAME='%s'" % oid)
>    m = self.data[row.GRP]['text'] % oid
>    return {'forname': oid, 'text': m}
>
>This introduces the risk of SQL injection and slow response time.
>cx_Oracle (and I think most of the other Python Database API 
>implementations as well)
>do support bind variables.
>
>Does the PEAK framework support bind variables in SQL statements?

Yes - but the SQLite binding used for that (many-years-old and 
slightly out of date) tutorial doesn't.


>If yes, it should be demonstrated in the tutorial.
>Far too many Java programmers tend to write bad SQL (without bind variables)
>just because they aren't shown how to use them in the tuorials.
>So the statement should probably better read
>def _load(self, oid, ob):
>    row = ~self.customerdb("select GRP from customers where NAME=:P_NAME",
>           P_NAME=oid)

It's almost like that: positional arguments following the SQL are 
passed to the cursor's execute method.  So if the database takes a 
dictionary as a positional argument after the SQL, then you'd pass 
dict(P_NAME=oid) as the parameter.


>I'll definitely keep an eye on PEAK and I hope it's a bit easier to 
>get something
>up and running than with all these Java frameworks.

Oh, it's definitely easier.  But unfortunately I haven't been working 
in an "enterprise" shop for almost four years now, so the PEAK core 
frameworks described on the DevCenter home page are in a state of 
some neglect.  I have a blogging application that uses some of the 
PEAK core, and I have done some occasional data conversion work using 
PEAK-based tools, but most of the action around PEAK these days is in 
spin-off toolkits like Trellis, Contextual, PEAK-Rules, etc., that 
are even more lightweight and modular than the "old PEAK" stuff.

By the way, please don't send me off-list emails regarding my open 
source projects; there is a PEAK mailing list for this type of discussion.

More information about the PEAK mailing list