[Zope-DB] How to import SQL in python script???
Ed Leafe
ed@leafe.com
Mon, 17 Feb 2003 09:42:55 -0500
On Wednesday, February 12, 2003, at 12:16 PM, eijgnit@netscape.net
wrote:
> But here's another solution, create a ZSQLMethod with only one
> argument call say "sql", and in the contents just have "<dtml-var
> sql>". Effectively what this does is to query the database according
> to what the argument sql is (which of coz must be a valid sql
> statement).
For the reasons mentioned by others, this is a security risk if the
SQL is coming from anywhere outside of your control.
Having said that, there is an alternative that I have used with good
results. I use a Python script to evaluate any form fields that have
been submitted, and construct the WHERE clause based on that input. Of
course, now the responsibility is on you to check for rogue SQL (hint:
semi-colons are usually a warning sign!). I then have a ZSQL method
that is called with a single parameter that contains the WHERE clause.
The ZSQL method looks like this:
select field1, field2, ... fieldN from mytable
<dtml-var sqlSearchExpr>
order by myfield desc
___/
/
__/
/
____/
Ed Leafe
http://leafe.com/
http://opentech.leafe.com