On Saturday 10 March 2001 01:14, Paz wrote:
Morning/Afternoon/Night,
Lazy Saturday morning, and I can't be bothered to leave the house. I've made a little template, but Im wondering if its Pandora's box...
ZSQL Method<
select:required as:optional from:required where:optional
select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if> from <dtml-var from> <dtml-if "where">where <dtml-var where></dtml-if> <dtml-if "operand"><dtml-var operand></dtml-if> <dtml-if "equals"><dtml-var equals></dtml-if>
It renders any way you please... Obviously you need very tight security on this as to who can access it... But other than using AUTHENTICATED_USER, is there any possible way you might exploit this? I have a habit of doing most of my work in the db, and something like this would totally ease the way I build forms.....
this is suicidal, IMO, in oracle i might try (obviously untested) select == '1 from dual; drop table users cascade;' you should try to use sqlvars in sqlmethods. if you're just using it for development, maybe, but it seems rather risky to me for anything production. cheers kapil