Please do *NOT* send HTML mails into this list! Nick McDowell writes:
I have a Z SQL method that requires an �id� value which it users to perform a select statement. I am trying to pass this �id� value via a URL, which calls a DTML method who in turn calls the Z SQL Method. When I remember right, someone introduced into Zope 2.1.6's Z SQL methods that acquisition is stronger than explicitely passed arguments (and arguments from REQUEST, this is your case). One says, it was for security reasons.
I think, this is a big bug, and I will change it, whenever I should see it. If it is still in Zope 2.2, then you will have only 2 chances: 1. rename you argument to something that is not acquired (as 'id' is). In your SQL, you can of cause use the column name as it is defined by the table - similar to the following: .... where id = <dtml-sqlvar renamed_id type=string> .... 2. change the code in "Shared.DC.ZRDB.DA.__call__", as I would do. I did not yet work enough with Zope 2.2 to got hit by the bug (if it is still there). Therefore, I do not yet have a patch. Dieter