[Zope-dev] ZSQL using LIKE operator

Schmidt, Allen J. aschmidt@nv.cc.va.us
Fri, 9 Feb 2001 10:26:00 -0500


Not taken as being harsh from where I stand! The more we know...the better!
Thanks for the guidelines and the URL. It has been passed on to the group
that handles the MySQL on our server. Have not started using it for
Production, but will be soon.

>From a recent post, I noticed that this topic might be better suited for the
normal Zope list. Would this be accurate? Comments welcome on accepted
topics. 

Thanks

Allen

-----Original Message-----
From: Jon Franz [mailto:jfranz@one.net]
Sent: Friday, February 09, 2001 10:18 AM
To: 'Schmidt, Allen J.'
Cc: 'zope-dev@zope.org'
Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator


sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between <dtml-sqlvar> and <dtml-var sqlquote> 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:

http://www.mysql.com/doc/G/e/General_security.html

See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
wrong...


PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

> -----Original Message-----
> From: Schmidt, Allen J. [mailto:aschmidt@nv.cc.va.us]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; 'zope-dev@zope.org'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> 
> 
> Got it. Making the change now. Thanks for keeping an eye on 
> this thread. 
> What about the sqltest suggestion on posted on this thread? 
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
> Thanks
> 
>> -----Original Message-----
>> From: Jon Franz [mailto:jfranz@one.net]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> To: 'zope-dev@zope.org'
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> 
>> 
>> No, this is bad!! Do NOT do this - it will allow Bad 
<<SNIP>