[mod_python] mod_python & MySQLdb question: Done

Roy S. Rapoport mod_python at ols.inorganic.org
Fri Dec 19 06:33:34 EST 2003

On Thu, Dec 18, 2003 at 08:45:41AM -0800, tpc at csua.berkeley.edu wrote:
> hi Giampiero, can I ask you, being a newbie to Python
> myself, why you are switching to modpython from Zope ?
> I have heard many good things about Zope but have not
> had the time to download and use it, but from what I hear
> if you want to serve a complex database-backed application
> there is no better way.

I'm obviously not Giampiero, but I'll take a stab at answering the question
(disregarding Giampiero's specific circumstances).

I work for a privately-held financial institution in the IT group; I happen
to wear two hats, actually -- I'm a member of both the development and the
infrastructure groups.  Our choice of languages is Python, our choice of
platform on which to develop applications is the web, and our choice of web
platform on which to develop is Zope.  We are heavily invested in Zope and
we love it.  

I especially love Zope because it pretty much enforces an MVC architecture
-- ZSQL methods to access databases, python scripts for business logic,
DTML/ZPT for display logic.  

There's the upside.

The downside? The security (or lackthereof) aspects of running it sometimes
wake me up at night screaming.  OK, that's overstating it, but not by much

The problem with Zope is one of its nicest features -- in-band management.
Got a Zope server at http://my.server ?  Then you can manage it at
http://my.server/manage.  Want to manage http://my.server/some/path? Again,
you can go into the management interfact of Zope on that path at
http://my.server/some/path/manage.  All management of Zope is down through

Now, again, in some respects this is really nice -- it took us about two
hours to get up a Python program that allowed us to easily synchronize
content between two or more Zope servers by just sending URLs around.  On
the downside, this means that pretty much anyone in the world is guaranteed
to be able to access the management interface of your Zope server and then
it's just a password-guessing attack.  You can front Zope with Apache --
and you're advised to -- and we're continuing to fine-tune our httpd.conf
to block URLs that look like they're management URLs -- but it's a pain,
and error-prone, and not likely to ever be complete.  The official word on
the Zope list is "Yes, it's insecure.  Deal with it and accept it."

In-band management is really user-friendly.  I think it's also a very bad
idea.  I hope they go away from that one of these days.

Oh, one more thing:  Emblematic of many (but not all) open-source projects,
Zope is a wonderful, relatively-well-constructed product with absolutely
atrocious, horrific, monstrously-bad documentation.  It's incomplete (and
in some cases wrong).  Mind you, I'm not sure mod_python is much better,
but I'm not talking about it right now :)

Hope this is useful,
-roy (ex-CSUA and OCF member)

> On Thu, 18 Dec 2003, Giampiero Benvenuti wrote:
> > Thanks Manfred, now I'm starting to "see".
> > Great tip, it works like a "swiss" clock.
> >
> > > This:
> > >
> > >> 	rows = cursor.fetchall()
> > >> 	rows = list(rows)
> > >> 	for row in rows:
> > >> 		results = (row['news_title']+',<br>')
> > >> 		req.write(results)
> > >
> > > can be compressed to (and made faster):
> > >
> > >
> > > results = []
> > > for row in cursor.fetchall():
> > > 	results.append(row['news_title'])
> > > req.write("<br />".join(results))
> > >
> >
> > _______________________________________________
> > Mod_python mailing list
> > Mod_python at modpython.org
> > http://mailman.modpython.org/mailman/listinfo/mod_python
> >
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list