Passing python generated SQL to ZSQL in a DTML method - Zope - Zope lists

newer
object property which has name...

Passing python generated SQL to ZSQL in a DTML method

older
image meta

hpinson＠indepthl.com

17 Nov 2003 17 Nov '03

5:44 p.m.

Hi. I have a dynamic Python generated SQL string which is available to a dtml-method page: <dtml-var generated_sql> parses to: select item_id from items I want to pass that string to a ZSQL method named: sqlMethod with the argument: the_sql and the content: <dtml-var the_sql> In a dtml method i want to call sqlMethod, pass the generated_sql to it, and return the results, that is: <dtml-in sqlMethod> <dtml-var item_id> <dtml-in> Any suggestions on how to approach this? Harlow Pinson Indepth Learning Email: hpinson@indepthl.com Web: http://www.indepthl.com Voice: 505-994-2135 FAX: 208-475-7678

Reply

Sign in to reply online Use email software

Show replies by date

Jim Penny

17 Nov 17 Nov

5:54 p.m.

New subject: [Zope] Passing python generated SQL to ZSQL in a DTML method

On Mon, 17 Nov 2003 10:44:39 -0700 hpinson@indepthl.com wrote:

Hi. I have a dynamic Python generated SQL string which is available to a dtml-method page:

<dtml-var generated_sql> parses to: select item_id from items

I want to pass that string to a ZSQL method named: sqlMethod

with the argument: the_sql

and the content: <dtml-var the_sql>

In a dtml method i want to call sqlMethod, pass the generated_sql to it, and return the results, that is:

<dtml-in sqlMethod> <dtml-var item_id> <dtml-in>

Any suggestions on how to approach this?

Yes, don't. You have unlimited potential for SQL injection. This means that anyone who can access your application can modify any record whose table name can be guessed. They can also probably delete tables, and may be able to build tables. You probably don't want this. The idea of dynamic SQL appears to be something that every Zope beginner comes to, sooner or later. I know it happened to did, and I even wrote a HOWTO on doing this. It is a bad idea. Instead of trying to construct the minimum number of ZSQL methods, try to build the minimum number of secure methods. You will sleep much better. Jim Penny

Reply

Sign in to reply online Use email software

Dylan Reinhardt

7:01 p.m.

New subject: [Zope] Passing python generated SQL to ZSQL in a DTML method

On Mon, 2003-11-17 at 09:54, Jim Penny wrote:

The idea of dynamic SQL appears to be something that every Zope beginner comes to, sooner or later.

I'd state this much more generally: the idea appears to be something that every beginner *web app* developer happens upon sooner or later. This issue isn't Zope-specific at all... it's an inherent danger with any middleware technology. $.02, Dylan

Reply

Sign in to reply online Use email software

Dieter Maurer

18 Nov 18 Nov

7:37 p.m.

New subject: [Zope] Passing python generated SQL to ZSQL in a DTML method

hpinson@indepthl.com wrote at 2003-11-17 10:44 -0700:

Hi. I have a dynamic Python generated SQL string which is available to a dtml-method page:

Generate the SQL *inside* the Z SQL method rather than passing it as parameter (reason given by others). That stressed: you would pass generated SQL in the Z SQL method in the same way as you would pass any parameter: either via "REQUEST" or via keyword parameters. -- Dieter

Reply

Sign in to reply online Use email software

8174

Age (days ago)

8175

Last active (days ago)

3 comments

4 participants

tags

participants (4)

Dieter Maurer
Dylan Reinhardt
hpinson＠indepthl.com
Jim Penny