then to do it safely you would have to either to modify the source of sqlvar ([zope_base]/lib/python/Shared/DC/ZRDB/sqlvar.py) to give you a non-quoted type to use for table etc names [slight case of overkill], or call a generic python method with your values, which can do any checks for safety you need, e.g. make sure there are no ';'s, then that script calls your zsql method with the checked parameters. But make sure your zsql method can only be called by the python script - give it a local contextual role, and only let this role call the zsql method. Eugen Nedelcu wrote:
On Thu, Jan 30, 2003 at 12:21:55PM +0000, Ben Avery wrote:
Eugen,
you can't easily do what you're trying to, safely. the <dtml-sqlvar ...> was created so that the variable substitution methods couldn't be maliciously used by people passing in a paramter of e.g. "3;drop database mydb", which would terminate the first sql statement, then make a new arbitrary one.
I am aware of that.
personally, I have a created a method for each table, e.g. delete from employee where <dtml-sqltest emp_id multiple>
It is a pain to do this, but it's the only way without opening up your> system to major risks.
My application is one like Webmin or PHPMyAdmin, so it must be generic!