Date: 04/27/2000 05:09 pm (Thursday) From: Francois-Regis CHALAOUX To: INET:zope@zope.org Subject: ZSQL security restriction with Zope 2-1-6 ? Hi All, Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!! I create a little application to manage seminars. All the methods to consult these seminars work but all the method to upgrade, create, delete return now ERRORS. My DB is Gadfly. Should I come back to 2.1.2 ? Should I change something in my code? Should I modify Zope-2.1.6? Help, please. FR =========== Environment =========== Linux Suse-6.2 Python 5.2 Zope-2.1.6 upgrade from Zope-2.1.2 with patch Zope-2.1.x-to-2.1.6-linux2-x86.tgz Gadfly =========== Bellow you can find the code of an example and the associated ERROR : ========================== DTML Document saisies.html ========================== <FORM ACTION="insert_seminar_do" METHOD="POST"> Blablabla .... </FORM> =============================== DTML Document insert_seminar_do =============================== Blablabla ... <!--#call "insert_seminar(REQUEST)"--> Blablabla ... ========================= SQL Method insert_seminar ========================= Arguments : titre type jour numero mois annee heure minute nomconf prenomconf titreconf adresseconf lieu nomhote prenomhote url insert into seminar (id, titre, type, jour, numero,mois,annee,heure,minute,floatdate, nomconf, prenomconf, titreconf, adresseconf, lieu, nomhote, prenomhote, url) select max(id)+1, <!--#sqlvar titre type=string-->, <!--#sqlvar type type=string-->, <!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois type=int-->, <!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->, <!--#sqlvar minute type=string-->, <!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->, <!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->, <!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->, <!--#sqlvar lieu type=string-->, <!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->, <!--#sqlvar url type=string--> from seminar ============================= tofltdate is an external method. ============================= import string import sys from DateTime import * def tofltdate(numero,mois,annee): datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'') f = DateTime(datum) return float(f) ######################## Error type: NameError Error value: REQUEST --> </TD></TR></TABLE> </TD> </TR> <TR> <TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2" WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150" HEIGHT="26" BORDER="0"></TD> <TD ALIGN=CENTER> <HR NOSHADE SIZE="0"> <p class="footlink" align="center"> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable Page</A> <A HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML Source</a> </p></TD> </TR> </TABLE> </BODY> </HTML> <!-- Traceback (innermost last): File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in publish_module File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in publish File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in zpublisher_exception_hook (Object: ElementWithAttributes) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in publish File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in call_object (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: insert_seminar(REQUEST)) (Info: REQUEST) File <string>, line 0, in ? File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in __call__ (Object: insert_seminar) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: <string>) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])) (Info: REQUEST) File <string>, line 0, in ? NameError: (see above) -- >