[Zope-DB] ZSQL Method security concern
Dieter Maurer
dieter@handshake.de
Sun, 14 Apr 2002 23:52:06 +0200
Charlie Reiman writes:
> I have a bunch of queries I need to make for my product. These look like:
>
> select sum(thing1) from the_big_table where something...
> select sum(thing2) from the_big_table where something...
> select sum(thing3) from the_big_table where something...
> select sum(thing4) from the_big_table where something...
>
> I have this set up as a single ZSQL Method with a template like this:
>
> select sum(<dtml-var field>) from the_big_table where <dtml-var expr>
>
> This is insecure since I should be using dtml-sqlvar to escape suspect
> strings. Fine and dandy, except dtml-sqlvar is used for inserting SQL field
> values:
Let you forms pass just the minimal information necessary to
build your queries.
The DTML in your ZSQL method would be
<dtml-var buildQuery(REQUEST)>
"buildQuery" would be a Python Script that looks at REQUEST
and builds the correct select statement.
Dieter