On Thu, Aug 23, 2001 at 06:51:36PM -0400, Tom Jenkins wrote:
Andreas Heckel wrote:
I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>'; ... I need the Help. Every comments can help me. Thanks.
select * from table_name where table_field2='<dtml-var argument2>'
or
select * from table_name where table_field2='<dtml-var "_.str(argument2)">'
ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>. What if argument2 was set to "43;drop database mydatabase" ? yep you'd get a select but your database would be erased. <dtml-sqlvar> does checks to keep this type of attack from happening
Actually, DO do it, but only for testing purposes. The reason I want this done is that it should not depend in any way on any "string" method. Tom is 100% right that this is a gaping security problem and should never go into production code. Make sure you do it in a folder that you have marked for deletion, and delete it after testing. (background: some people are reporting problems with a particular database adapter, ZPoPyDA, and others (who have never seen such a problem) are trying to diagnose. Is it version dependent? Does the adapter do the right thing in the simplest cases? Which combinations of OS, Zope, Python, PoPy, and ZPoPyDA are failing? Is it only for <dtml-sqlvar ... type=string>? ...)
-- Tom Jenkins devIS - Development Infostructure http://www.devis.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )