[Zope-DB] ZSQL Method security concern

Dieter Maurer dieter@handshake.de
Sun, 14 Apr 2002 23:52:06 +0200


Charlie Reiman writes:
 > I have a bunch of queries I need to make for my product. These look like:
 > 
 > select sum(thing1) from the_big_table where something...
 > select sum(thing2) from the_big_table where something...
 > select sum(thing3) from the_big_table where something...
 > select sum(thing4) from the_big_table where something...
 > 
 > I have this set up as a single ZSQL Method with a template like this:
 > 
 > select sum(<dtml-var field>) from the_big_table where <dtml-var expr>
 > 
 > This is insecure since I should be using dtml-sqlvar to escape suspect
 > strings. Fine and dandy, except dtml-sqlvar is used for inserting SQL field
 > values:
Let you forms pass just the minimal information necessary to
build your queries.

The DTML in your ZSQL method would be

  <dtml-var buildQuery(REQUEST)>

"buildQuery" would be a Python Script that looks at REQUEST
and builds the correct select statement.


Dieter