2 Aug
2006
2 Aug
'06
12:29 a.m.
On Tue, Aug 01, 2006 at 02:50:19PM -0400, Muk Yan wrote:
Dear Coveted Braintrust,
I was wondering if anyone had any experience with MySQL queries in Python in Zope:
People have already answered your main question, but:
SELECT name FROM person WHERE ID = <dtml-var "REQUEST.SESSION.get('person_id')">
Never ever pass raw user input to a sql query! If you're not familiar with the phrase "sql injection"... google it :) The zope book relational databases chapter explains how to use <dtml-sqlvar> which is one way to avoid the danger. -- Paul Winkler http://www.slinkp.com