Bad: Re: [Zope-dev] ZSQL using LIKE operator
Schmidt, Allen J.
aschmidt@nv.cc.va.us
Fri, 9 Feb 2001 06:54:30 -0500
Got it. Making the change now. Thanks for keeping an eye on this thread.
What about the sqltest suggestion on posted on this thread? Or do sqltest
and sqlvar handle DB calls in a similar fashion?
Thanks
-----Original Message-----
From: Jon Franz [mailto:jfranz@one.net]
Sent: Thursday, February 08, 2001 3:54 PM
To: 'zope-dev@zope.org'
Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL
query that could allow mischievous people to tamper with your Db and
possibly hack your box
(depending upon what DB you are using, how it is configured, what user it
runs as, etc)
This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to
formats usable by
your DB, including escaping of bad characters.
instead, do This:
SELECT * FROM table WHERE keywords LIKE <dtml-sqlvar "'%' + my_var + '%'"
type=string>
the expression inside the quotes will handle adding the %'s to the beginning
and end of your string.
Sorry about the correction, but this Can be a big security hazard...
~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry
>Message: 9
>Date: Thu, 08 Feb 2001 07:32:48 -0500
>Subject: Re: [Zope-dev] ZSQL using LIKE operator
>From: Jens Vagelpohl <jens@digicool.com>
>To: "Schmidt, Allen J." <aschmidt@nv.cc.va.us>, <zope-dev@zope.org>
>
>just write it out like:
>
>SELECT * FROM table WHERE keywords LIKE '%<dtml-var name="my_var">%'
>
>jens
_______________________________________________
Zope-Dev maillist - Zope-Dev@zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )