[Zope-DB] Passing a list to a ZSQL method?
Bryce Harrington
bryce at osdl.org
Fri May 21 15:35:59 EDT 2004
On Fri, 21 May 2004, Jim Penny wrote:
> On Fri, 21 May 2004 11:28:59 -0700 (PDT)
> Bryce Harrington <bryce at osdl.org> wrote:
> > INSERT INTO test_request_to_test_parameter (
> > <dtml-in params>
> > param_1,
> > </dtml-in>
> > test_request_uid
> > ) VALUES (
> > <dtml-in params>
> > <dtml-var value>,
> > </dtml-in>
> > <dtml-sqlvar name="test_request_uid" type="int">
> > )
>
> I am really really confused. If request['value'] is 'foo',
> this would expand to.
>
> INSERT INTO test_request_to_test_parameter (
> param_1,
> param_2,
> param_3,
> param_4,
> test_request_uid
> ) VALUES (
> 'foo',
> 'foo'.
> 'foo',
> 'foo',
> last_id's value
> )
>
> I don't see who this could possibly be what you want. I suspect that
> REQUEST does not have a key 'value', so that this is the exception.
Thanks, I figured out the problem I was having, and it's working
correctly now.
> Moreover, I suspect that this whole approach is open to SQL injection,
> unless you know the types of each parameter. Although, I have to admit
> that this is so odd, that it _might_ be hard to take advantage of. And
> you are making an implicit assumption that each column has a numeric
> type.
The types are always strings.
> What are the row names in the table are you trying insert into? What
> values do you intend to insert?
They are named 'param_0', 'param_1', ..., 'param_20'.
> Jim Penny
More information about the Zope-DB
mailing list