Hello again. I´m at work now and I´ve tried some codes. Sorry again, I´m spanish and my english is quite bad. ----- Original Message ----- From: "Jim Penny" <jpenny@universal-fasteners.com> To: "Antonio Carrasco" <antoniojezu@hotmail.com> Sent: Thursday, August 23, 2001 11:59 PM Subject: Re: [Zope] Zope/PostgreSQL/PoPy
On Wed, Aug 22, 2001 at 11:50:05PM +0200, Antonio Carrasco wrote:
Ok, Jim, Let?s go again...
select from Departments where name=<dtml-sqlvar name type=string> I tried it.
Also, does select from Departments where name='<dtml-var name sql_quote>' work?
OK! It works successfully! And it seems to be a good solution. Because: "<< sql_quote Converts single quotes to pairs of single quotes. This is needed to safely include values in SQL strings. >>". From Zope Help System, DTML Reference, var. But, Why doesn´t <dtml-sqlvar name type=string> work?. I think everyone of us want to know.
Now just a cotton picking minute. The form just above does not reference string at all. I don't see how it can be failing on a string error message.
This is not suitable for production code, due to security reasons. does select from Departments where name='<dtml-var name>' work?
Yes, it works too. But we have the security problem. "<<In addition to avoiding errors, SQL quoting is important for security. Suppose you had a query that makes a select: select * from employees where emp_id=<dtml-var emp_id> This query is unsafe since someone could slip SQL code into your query by entering something like 12; drop table employees as an emp_id. To avoid this problem you need to make sure that your variables are properly quoted.>>" From ZopeBook. Chapter 10: Relational Database Connectivity, Dinamic SQL queries, Inserting arguments with sql-var. Anyway. <dtml-var name sql_quote> doesn´t resolve our problem because: "<< SELECT * FROM Departments <dtml-sqlgroup where> <dtml-sqltest id op=eq type=int optional> <dtml-and> <dtml-if nombre> nombre='<dtml-var name sql_quote>' </dtml-if> </dtml-sqlgroup>
".From my code. We have to use dtml-if in all our multiple arguments queries with strings. Or is there another way to do it?
(Make sure punctuation is exactly as shown.)
Jim
I have tried it. And I have tried another ways. But nothing. I have been today two hours making and thinking different ways. My last try is find someone who can
make
the query without problems in this list. Farrell seems to be. But in RedHat. Tomorrow I?m going to write and specifie all the products version data and OS used(It?s Linux, but I can?t remember now more). Thanks again. Jim
Antonio Carrasco
Thanks a lot, Jim and others. I wish I help all you someday. Antonio Carrasco