[Zope-DB] Re: How to import SQL in python script???
Martin Gebert
Murphy@members.netsolution-net.de
Wed, 12 Feb 2003 18:51:03 +0100
eijgnit@netscape.net schrieb:
> Dear all,
>
> As a follow up to my earlier question on the above topic. Because the
> SQLStatement I need to query the database with depends on alot of
> variables (sometimes I even have to query another relation). I could
> use sqlgroup and sqltest to do the above.
>
> But here's another solution, create a ZSQLMethod with only one
> argument call say "sql", and in the contents just have "<dtml-var
> sql>". Effectively what this does is to query the database according
> to what the argument sql is (which of coz must be a valid sql
> statement).
>
But with this way, you have to make absolutely, *ABSOLUTELY* sure that noone is able to exploit the method by injecting harmful code. Say, somebody is calling it with
myZSqlMethod(sql='delete from MYTABLE')
This is the reason why the use of dtml-sqlvar is recommanded; it provides a type specific quoting (attribute "type") to make sure harmful SQL statements within a parameter can't be executed.
Martin