[Zope-dev] ZSQL using LIKE operator
Jon Franz
jfranz@one.net
Fri, 9 Feb 2001 10:18:06 -0500
sqltest just creates the full string of the where clause segment
for the test using the same kind of 'safe' sql-string logic as
sqlvar: so you should be able to replace the value to test against
with any valid python expression, such as the one below where
the % operators are concatenated onto the variable holding the
value you want to test against. :)
As for the difference between <dtml-sqlvar> and <dtml-var sqlquote>
(in case anyone is confused), an sqlvar tag requires a
type value and will not only perform an sqlquote on the value
being inserted into the statement, but will do any/all type
conversion/stripping (letters from numeric values, etc) needed
based upon the requested type.
If anyone is concerned/puzzled by the security hazards I listed
below, here is a URL describing problems associated with bad data
used within queries and a mysql DB:
http://www.mysql.com/doc/G/e/General_security.html
See the bullet point beginning with 'Do not trust any data entered by
your users.'
Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
wrong...
PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it? (forced usage
of the safe form would break some existent code, possibly, but
would avoid confusion such as this in general - and thus be safer)
> -----Original Message-----
> From: Schmidt, Allen J. [mailto:aschmidt@nv.cc.va.us]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; 'zope-dev@zope.org'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>
>
> Got it. Making the change now. Thanks for keeping an eye on
> this thread.
> What about the sqltest suggestion on posted on this thread?
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
> Thanks
>
>> -----Original Message-----
>> From: Jon Franz [mailto:jfranz@one.net]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> To: 'zope-dev@zope.org'
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>>
>>
>> No, this is bad!! Do NOT do this - it will allow Bad
<<SNIP>