RE: [Zope] Re: Zope SQL injection
Andy Yates wrote:
Could somebody either point me to an article or explain what
precautions
should be taken to prevent SQL injection in Zope. If user entered form data is passed to a ZSQL method does something automajically db escape the data or is the programmer responsible for doing this. If the programmer is responsible, how is it done in Zope? Thanks!
Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>. <dtml-sqlvar> is escaping the parameter automagically, so nobody can inject malicious code... at least I hope so...;)
Cheers, Maik
Right, I use <dtml-sqlvar>. Now that I read the manual ;-) I clearly see that is what the dtml-sqlvar prevents. Thanks! There has been a lot of buzz about sql injection lately for some reason and I just wanted to make double sure I understand the basics.
Andy Yates wrote:
Right, I use <dtml-sqlvar>. Now that I read the manual ;-) I clearly see that is what the dtml-sqlvar prevents. Thanks! There has been a lot of buzz about sql injection lately for some reason and I just wanted to make double sure I understand the basics.
Well, another fail-safe way is just to not use a relational database in the first place <0.3 wink> Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
participants (2)
-
Andy Yates -
Chris Withers