Hi there... Just for pessimism's sake, I delved into it a bit further. I've created the following. Total overkill on the processing, but the base implications are still there. Ignore the fact that this goes around the ZObjects schema. My first experience with Zope came after working for Compuware in Tech Support for their Uniface product. Its sql engine would do all base level transactions from a template scheme, and would perform a much more advanced version of below. So I just want to look into the pros/cons of doing the below. In other words humour me ;-) About below: A) Using SQLSession on top of this, you can ensure whether it runs or not... In this instance, can -var instead of sqlvar really be hacked? B) This is a simple select. If you give level rights to authenticated users, then this could be extended to do any command providing the SESSION['validate'] is set accordingly. Doesnt this make it much easier then? What would still be wrong with this? Thanks for reply, Paz -------

ZQL Method< select:required as:optional sfrom:required where:optional operand:optional equals:optional orderby:optional dir:optional

<dtml-call "SESSION.set('validate', -1)"> <dtml-in "(_.str(select), _.str(as), _.str(sfrom), _.str(where), _.str(operand), _.str(orderby), _.str(equals), _.str(dir))"> <dtml-let a=sequence-item> <dtml-in "('create', 'drop', 'alter', 'rename', 'optimize', 'backup', 'restore', 'repair', 'delete', 'truncate', 'replace', 'update', 'kill', 'grant', 'revoke', 'set', 'lock')"> <dtml-let b=sequence-item> <dtml-if "_.string.find(_.string.lower(a), b)!=-1"> <dtml-call "SESSION.set('validate', 0)"> <dtml-else> <dtml-call "SESSION.set('validate', 1)"> </dtml-if> </dtml-let> </dtml-in> </dtml-let> </dtml-in> <dtml-if "SESSION['validate']==1"> select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if> from <dtml-var sfrom> <dtml-if "where">where <dtml-var where> <dtml-if "operand"><dtml-var operand><dtml-if "equals"><dtml-var equals></dtml-if></dtml-if></dtml-if> <dtml-if "orderby">order by <dtml-var orderby> <dtml-if "dir"><dtml-var dir></dtml-if></dtml-if> <dtml-elif "SESSION['validate']==0"> <span class="error">Pissoff Hacker.... You attempts to exploit the system have been logged</span><dtml-comment><dtml-call "SESSION.set('state', 'ERROR')"></dtml-comment> <dtml-elif "SESSION['validate']==-1"> <span class="error">Nothing happened</span> <dtml-else> <span class="error">There was an ERROR</span> </dtml-if> -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of ender Sent: Saturday, March 10, 2001 12:11 PM To: Paz; Zope Subject: Re: [Zope] Saturday morning SELECT On Saturday 10 March 2001 01:14, Paz wrote:

...

Morning/Afternoon/Night,

Lazy Saturday morning, and I can't be bothered to leave the house. I've made a little template, but Im wondering if its Pandora's box...

...

ZSQL Method<

select:required as:optional from:required where:optional

select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if> from <dtml-var from> <dtml-if "where">where <dtml-var where></dtml-if> <dtml-if "operand"><dtml-var operand></dtml-if> <dtml-if "equals"><dtml-var equals></dtml-if>

It renders any way you please... Obviously you need very tight security on this as to who can access it... But other than using AUTHENTICATED_USER, is there any possible way you might exploit this? I have a habit of doing most of my work in the db, and something like this would totally ease the way I build forms.....

this is suicidal, IMO, in oracle i might try (obviously untested) select == '1 from dual; drop table users cascade;' you should try to use sqlvars in sqlmethods. if you're just using it for development, maybe, but it seems rather risky to me for anything production. cheers kapil _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )