[web2py] how to passing query or db set through url securily

[Richard]

Hello,

I need to pass a db_set to a widget that is used into an IS_IN_DB() validator. This as to be done in order to the widget which is a custom autocomplet widget using bootstrap typeahead can make the correct query with ajax call to a returning json function which feed the widget with result base on user input... Actually my widget don't consider the requires of the field for populating the dropdown which as side effect that suggest elements base on user input are not in db because of the IS_IN_DB() validator set... So, I want to pass the set to the widget so it can digest it and send the query to the sub-function returning json on ajax call to feed autocomplet widget with proper suggestion...

So, I know I can pass a bunch of vars then recreate the query on the orther side and reduce the query like that :

query = reduce(lambda a, b: a & b, where_clauses)

rows = db(query).select(*output_columns)

But I wouldn't have to construct db_set query into returning json function because it is restrictive, because I have predetermined query constructor base on variables available and I have to write new constructor of query for every db_set... I want something more flexible than that... But I am concern about security if I passing query as an URL vars... Is this a bad/good idea?

Thanks

Richard

[Richard Vézina]

I guess the best option would be to do the same as SQLFORM.grid search??

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Richard Vézina]

How to extract the operator of the query in familiar "==" or "="

db_set.query.second.op return adapter bound operator...

Richard

[Richard Vézina]

I maybe better constructing my db() set like so instead of deconstruct it to get the query component :

from gluon.dal import smart_query

keywords = \

    'table1.f1 = True and ' \

    'table1.f2 != {0}'.format(

        db(db.ref_table.f1 =='Annulé - Void'

           ).select(db.ref_table.id).first().id)

fields = [db.table1.f1,

          db.table1.f2]

active_set = db(smart_query(fields, keywords))

So I don't have duplicated query that will be passed as vars in the URL and the one that is using to create the IS_IN_DB() db_set 

[Richard Vézina]

doh!

Can we do this kind of query with SQLFORM.grid search tool :

q = ((db.table.field == 'something' | db.table.field != None) & db.table.other_field == something)

??

Richard