18 Mar
2005
18 Mar
'05
5:32 p.m.
Andy Yates wrote:
Could somebody either point me to an article or explain what precautions should be taken to prevent SQL injection in Zope. If user entered form data is passed to a ZSQL method does something automajically db escape the data or is the programmer responsible for doing this. If the programmer is responsible, how is it done in Zope? Thanks!
Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>. <dtml-sqlvar> is escaping the parameter automagically, so nobody can inject malicious code... at least I hope so...;) Cheers, Maik