[Zope-DB] Re: dynamic SQL

[Michal Kurowski]

Jim Penny [jpenny@universal-fasteners.com] wrote:
 
> Well, you have no security, whatsoever.  Anyone who can access method
> variable_sql can do anything that they want to our database.  Even if
> you somehow limit access to the method, you can't stop SQL injection.
> And you can't debug the SQL, since you have no idea of what will be
> executed.
> 
> Go to the trouble now.  It will reduce your trouble later.

Well said.

But you might want to check some Zope products out:

http://www.zope.org/Members/zwork/Znolk_SQL_Wizard
http://www.zope.org/Members/Ioan/SQLForms

Cheers,

-- 
Michal Kurowski
<mkur@poczta.gazeta.pl>