[Zope-dev] ZSQL using LIKE operator

Jon Franz jfranz@one.net
Fri, 9 Feb 2001 10:18:06 -0500


sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between <dtml-sqlvar> and <dtml-var sqlquote> 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:

http://www.mysql.com/doc/G/e/General_security.html

See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
wrong...


PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

> -----Original Message-----
> From: Schmidt, Allen J. [mailto:aschmidt@nv.cc.va.us]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; 'zope-dev@zope.org'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> 
> 
> Got it. Making the change now. Thanks for keeping an eye on 
> this thread. 
> What about the sqltest suggestion on posted on this thread? 
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
> Thanks
> 
>> -----Original Message-----
>> From: Jon Franz [mailto:jfranz@one.net]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> To: 'zope-dev@zope.org'
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> 
>> 
>> No, this is bad!! Do NOT do this - it will allow Bad 
<<SNIP>