The example in the book doesn't work as is. You could us eval() as mentioned below, but that would present a security risk since anything can be submitted in request.vars.query. appadmin does this, but it does some parsing of the query first, and it is not publicly accessible, so not a security risk. To work properly, list_records should probably parse the query, confirm that the db, table, and fields referenced in the query actually exist, and then create the query object from those components.
Anthony On Saturday, January 14, 2012 6:16:49 PM UTC-5, Alan Etkin wrote: > > > def list_records(): > > table = request.args(0) > > query = request.vars.query > > records = db(query).select(db[table]) > > return dict(records=records,table=table,query=query) > > the fourth line passes a string to the db instance call that expects a > query object as those created with this statement: > > q = db.mytable.myfield.id == <number> > > Maybe you can do new_query = eval(q) to create the normal db call > input. The admin interface does something similar (i don't know if it > uses eval) as it processes queries sent by browser user input.
