It is not safe if you have malicious users. You will need to pass your <dtml-var name="search_field"> through a filter. This will help. A better example is a user taking advantage of an insert method: insert into data values (<dtml-var name="value_1">, <dtml-var name="value_2">, <dtml-var name="value_3">) where the user has found the Zsqlmethod by looking at http://yourzopehost/objectIds and calls it like this: http://yourzopehost/sqlADDUSER?value_3=randomvalue);SELECT%20*%20FROM%20secr etpasswordtable/ Fortunately, Zope responds with a "testing the sql method" form if you are authorized. Troy -----Original Message----- From: Mark Twiddy [mailto:vtwiddy@senet.com.au] Sent: Friday, October 20, 2000 3:22 AM To: zope@zope.org Subject: Re: [Zope] dtml-sqlvar quote Hi all thanks for the help. Just on that. Is it safe to do select * from data where <dtml-var search_field> like '%<dtml-var search_term> as search_term could contain '; drop table blah; ' or what ever. I thought by using <dtml-sqlvar > you could use untrusted values. Thanks again Mark On Fri, 20 Oct 2000, Tony McDonald wrote:

...

Hi all

How can i pass a string to a sql method that won't be quoted.

i.e so i can do somthing like this

..... group by foo,blah order by <dtml-sqlvar spam>

thanks mark

don't quote it?

... order by <dtml-var spam>

I use this all the time for things like

select * from data where <dtml-var search_field> like '%<dtml-var search_term>%'

tone

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )