[Zope-DB] Safe way to insert variable column names for order by?
Jim Penny
jpenny@universal-fasteners.com
Tue, 12 Nov 2002 11:53:33 -0500
On Tue, Nov 12, 2002 at 11:05:51AM -0500, Jeff Kowalczyk wrote:
> I'm just getting started with ZSQL methods, and I wondered if there was a safe or
> recommended way to handle dynamic queries that parameterize their sorting and other
> 'non-test'. If I use dtml-sqlvar, sort and order will be quoted, which is incorrect SQL.
>
> <params>ShipmentDate=11/06/2002
> sort=ShipmentID
> order=asc</params>
> select ShipmentID, ShipmentDate, LocationAddress
> from Shipments
> where <dtml-sqltest ShipmentDate op=eq type=string>
> and ShipperID = 'MyShipper'
> and DeliveredTo is not null
> order by <dtml-var sort> <dtml-var order>
>
The best answer is that to be fully safe you should use
order by <dtml-var sort sql_quote> <dtml-var order sql_quote>
However, if sort and order are being generated from the form by a Script
Python, or the like, you have fairly small exposure, anyway. The
evil-doer would have to know the exact name of the method, the names of
any weakly protected parameters, and URL quoting to directly use the
method.
Note sql_quote does not quote the argument. It merely 'escapes' it.
So, you might use something like
'<dtml-var "_.str(_.SecurityGetUser()) sql_quote">'
as a correct clause.
Jim Penny
>
>
>
>
>
> _______________________________________________
> Zope-DB mailing list
> Zope-DB@zope.org
> http://lists.zope.org/mailman/listinfo/zope-db
>