Re: [Zope] Dynamic ordering of DTML-IN? - Zope - Zope lists

newer
RE: [Zope] Opensource DBMS for WIN?

Re: [Zope] Dynamic ordering of DTML-IN?

older
Getting an object from it's id

Oliver Bleutgen

23 Jan 2001 23 Jan '01

2:45 p.m.

Then change your Z SQL Method to look like;

select * from Customers where foofield=<dtml-sqlvar search type=string> <dtml-if orderby> ORDER BY <dtml-var orderby> </dtml-if>

Hmm, I wouldn't do that, you're trusting the client here, imagine someone going to http://yourserver/staff?orderby=firstname%20;%20delete from Customers; (sufficient dbuser rights assumed) I would use staff?order_id=1 (2,3,...) etc. and then set orderby via a dictionary (or some simple dtml-ifs). cheers, oliver

Reply

Sign in to reply online Use email software

Show replies by date

Andrew Kenneth Milton

23 Jan 23 Jan

3:10 p.m.

New subject: [Zope] Dynamic ordering of DTML-IN?

+-------[ Oliver Bleutgen ]---------------------- | > Then change your Z SQL Method to look like; | | > select * from Customers where | > foofield=<dtml-sqlvar search type=string> | > <dtml-if orderby> | > ORDER BY <dtml-var orderby> | > </dtml-if> | | Hmm, I wouldn't do that, you're trusting the client here, | imagine someone going to | | http://yourserver/staff?orderby=firstname%20;%20delete from Customers; You always validate external input, especially in a web environment. I didn't think it was necessary to spell that out. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|

Reply

Sign in to reply online Use email software

9204

Age (days ago)

9204

Last active (days ago)

1 comments

2 participants

tags

participants (2)

Andrew Kenneth Milton
Oliver Bleutgen