On Mon, 17 Nov 2003 10:44:39 -0700 hpinson@indepthl.com wrote:
Hi. I have a dynamic Python generated SQL string which is available to a dtml-method page:
<dtml-var generated_sql> parses to: select item_id from items
I want to pass that string to a ZSQL method named: sqlMethod
with the argument: the_sql
and the content: <dtml-var the_sql>
In a dtml method i want to call sqlMethod, pass the generated_sql to it, and return the results, that is:
<dtml-in sqlMethod> <dtml-var item_id> <dtml-in>
Any suggestions on how to approach this?
Yes, don't. You have unlimited potential for SQL injection. This means that anyone who can access your application can modify any record whose table name can be guessed. They can also probably delete tables, and may be able to build tables. You probably don't want this. The idea of dynamic SQL appears to be something that every Zope beginner comes to, sooner or later. I know it happened to did, and I even wrote a HOWTO on doing this. It is a bad idea. Instead of trying to construct the minimum number of ZSQL methods, try to build the minimum number of secure methods. You will sleep much better. Jim Penny