Hello all, I would like to choose via a formfield (called 'tablename') which table ('employers' or 'employees') is going to be queried. I use in my ZSQL Method the following: select * from <dtml-var tablename> because select * from <dtml-sqlvar tablename type=string> results in e.g. select * from 'employees' which results in an sql error because of the quotes. Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'? Is there an alternative solution to get rid of the quotes in the dtml-sqlvar? best regards, Roger Erens
On Friday 05 July 2002 07:55 am, Roger Erens wrote:
Hello all,
I would like to choose via a formfield (called 'tablename') which table ('employers' or 'employees') is going to be queried.
I use in my ZSQL Method the following: select * from <dtml-var tablename> because select * from <dtml-sqlvar tablename type=string> results in e.g. select * from 'employees' which results in an sql error because of the quotes.
Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'?
Is there an alternative solution to get rid of the quotes in the dtml-sqlvar?
best regards, Roger Erens
If you use <dtml-var> in a Z SQL method be sure to use the sql_quote option so that characters like ";" and "'" are properly escaped ie: SELECT * FROM <dtml-var tablename sql_quote> hth, -Casey
Roger Erens writes:
Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'?
Is there an alternative solution to get rid of the quotes in the dtml-sqlvar? I would pass a code (e.g. "1", "2", ...) and resolve the code into a table name inside the ZSQL with a "_.test" call (see DTML reference).
Dieter
participants (3)
-
Casey Duncan -
Dieter Maurer -
Roger Erens