Zope SQL injection - Zope - Zope lists

newer
Re: Zope SQL injection

Zope SQL injection

older
Searching multiple catalogs

Andy Yates

18 Mar 2005 18 Mar '05

5:23 p.m.

Could somebody either point me to an article or explain what precautions should be taken to prevent SQL injection in Zope. If user entered form data is passed to a ZSQL method does something automajically db escape the data or is the programmer responsible for doing this. If the programmer is responsible, how is it done in Zope? Thanks! Andy

Attachments:

attachment.html (text/html — 1.8 KB)

Reply

Sign in to reply online Use email software

Show replies by date

Maik Jablonski

18 Mar 18 Mar

5:32 p.m.

New subject: [Zope] Re: Zope SQL injection

Andy Yates wrote:

Could somebody either point me to an article or explain what precautions should be taken to prevent SQL injection in Zope. If user entered form data is passed to a ZSQL method does something automajically db escape the data or is the programmer responsible for doing this. If the programmer is responsible, how is it done in Zope? Thanks!

Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>. <dtml-sqlvar> is escaping the parameter automagically, so nobody can inject malicious code... at least I hope so...;) Cheers, Maik

Reply

Sign in to reply online Use email software

7689

Age (days ago)

7689

Last active (days ago)

1 comments

2 participants

tags

participants (2)

Andy Yates
Maik Jablonski