Bug in PostGre adapter for Zope, for type string in arguments of ZSQL Methods (?)
(ok, sorry, i´m spanish.. ;-D) I´m trying to do something like this in a ZSQLMethod: select * from table_name where table_field1=<dtml-sqlvar argument1 type=int>; And it works successfully. But if I try with: select * from table_name where table_field2=<dtml-sqlvar argument2 type=string>; I get an unexpected error: Error, exceptions.NameError: global name 'string' is not defined -------------------------------------------------------------------------------- SQL used: Could not render the query template! I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar argument2 type=string>'; select * from table_name where table_field2=<dtml-sqlvar argument2 type="string">; select * from table_name where table_field2='<dtml-sqlvar argument2 type="string">'; ... But, nothing. If i try this: select * from table_name where table_field2='value'; It works successfully again. Why can´t Zope render the query template? Why does Zope say "globla name string is not defined"? I´m using... Zope 2.4.0 Python 2.1.1 Linux ZPoPyDa (Last Version? I´m not sure of this) I need the Help. Every comments can help me. Thanks. Antonio Carrasco
acg wrote:
(ok, sorry, i´m spanish.. ;-D) I´m trying to do something like this in a ZSQLMethod: select * from table_name where table_field1=<dtml-sqlvar argument1 type=int>;
And it works successfully. But if I try with: select * from table_name where table_field2=<dtml-sqlvar argument2 type=string>;
I get an unexpected error:
Error, exceptions.NameError: global name 'string' is not defined ---------------------------------------------------------------------- SQL used:
Could not render the query template!
I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>'; ... I need the Help. Every comments can help me. Thanks.
select * from table_name where table_field2='<dtml-var argument2>' or select * from table_name where table_field2='<dtml-var "_.str(argument2)">' -- _______________________________________________________________________ Andreas Heckel andreas@easyleading.org LINUX is like a wigwam...no gates...no windows and an apache inside ;-)
Andreas Heckel wrote:
I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>'; ... I need the Help. Every comments can help me. Thanks.
select * from table_name where table_field2='<dtml-var argument2>'
or
select * from table_name where table_field2='<dtml-var "_.str(argument2)">'
ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>. What if argument2 was set to "43;drop database mydatabase" ? yep you'd get a select but your database would be erased. <dtml-sqlvar> does checks to keep this type of attack from happening -- Tom Jenkins devIS - Development Infostructure http://www.devis.com
On Thu, Aug 23, 2001 at 06:51:36PM -0400, Tom Jenkins wrote:
Andreas Heckel wrote:
I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>'; ... I need the Help. Every comments can help me. Thanks.
select * from table_name where table_field2='<dtml-var argument2>'
or
select * from table_name where table_field2='<dtml-var "_.str(argument2)">'
ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>. What if argument2 was set to "43;drop database mydatabase" ? yep you'd get a select but your database would be erased. <dtml-sqlvar> does checks to keep this type of attack from happening
Actually, DO do it, but only for testing purposes. The reason I want this done is that it should not depend in any way on any "string" method. Tom is 100% right that this is a gaping security problem and should never go into production code. Make sure you do it in a folder that you have marked for deletion, and delete it after testing. (background: some people are reporting problems with a particular database adapter, ZPoPyDA, and others (who have never seen such a problem) are trying to diagnose. Is it version dependent? Does the adapter do the right thing in the simplest cases? Which combinations of OS, Zope, Python, PoPy, and ZPoPyDA are failing? Is it only for <dtml-sqlvar ... type=string>? ...)
-- Tom Jenkins devIS - Development Infostructure http://www.devis.com
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (4)
-
320011178755-0001@t-online.de -
acg -
Jim Penny -
Tom Jenkins