[Zope] ZSQL security restriction with Zope 2-1-6 ?

Francois-Regis CHALAOUX Francois-Regis.CHALAOUX@sanofi-synthelabo.com
Fri, 28 Apr 2000 11:42:00 +0200


Date:  04/27/2000  05:09 pm  (Thursday)  
From:  Francois-Regis CHALAOUX
To:  INET:zope@zope.org
Subject:  ZSQL security restriction with Zope 2-1-6 ?

Hi All,

Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!!

I create a little application to manage seminars. All the methods to consult
these seminars work but all the method to upgrade, create, delete return now
ERRORS. My DB is Gadfly.

Should I come back to 2.1.2 ? Should I change something in my code? Should I
modify Zope-2.1.6?

Help, please.

FR

===========
Environment
===========
Linux Suse-6.2
Python 5.2
Zope-2.1.6 upgrade from Zope-2.1.2 with patch
Zope-2.1.x-to-2.1.6-linux2-x86.tgz
Gadfly
===========

Bellow you can find the code of an example and the associated ERROR :

==========================
DTML Document saisies.html
==========================
<FORM ACTION="insert_seminar_do" METHOD="POST">
Blablabla ....
</FORM>

===============================
DTML Document insert_seminar_do
===============================
Blablabla ...
<!--#call "insert_seminar(REQUEST)"-->
Blablabla ...

=========================
SQL Method insert_seminar
=========================
Arguments : titre type jour numero mois annee heure minute nomconf prenomconf
titreconf adresseconf lieu nomhote prenomhote url

insert into seminar (id,
                     titre, 
                     type, 
                     jour, numero,mois,annee,heure,minute,floatdate,
                     nomconf, prenomconf, titreconf, adresseconf,
                     lieu,
                     nomhote, prenomhote,
                     url)
select max(id)+1,
<!--#sqlvar titre type=string-->,
<!--#sqlvar type type=string-->,
<!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois
type=int-->,
<!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->,
<!--#sqlvar minute type=string-->,
<!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->,
<!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->,
<!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->,
<!--#sqlvar lieu type=string-->,
<!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->,
<!--#sqlvar url type=string-->
 from seminar

=============================
tofltdate is an external method.
=============================

import string
import sys
from DateTime import *

def tofltdate(numero,mois,annee):
   datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'')
   f = DateTime(datum)
   return float(f)

########################


 Error type:  NameError
 Error value: REQUEST
 -->
</TD></TR></TABLE>
        </TD>
        </TR>
        <TR>
                <TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2"
WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150"
HEIGHT="26" BORDER="0"></TD>



                <TD ALIGN=CENTER>
                <HR NOSHADE SIZE="0">
                <p class="footlink" align="center">
                <A
HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable
Page</A>&nbsp;&nbsp;&nbsp;&nbsp;
                <A
HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a>&nbsp;&nbsp;&nbsp;&nbsp;
                <A
HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML
Source</a>
                </p></TD>
        </TR>
</TABLE>

</BODY>
</HTML>


<!--
Traceback (innermost last):
  File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in
publish_module
  File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in
publish
  File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in
zpublisher_exception_hook
    (Object: ElementWithAttributes)
  File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in
publish
  File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in
mapply
    (Object: insert_seminar_do)
  File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in
call_object
    (Object: insert_seminar_do)
  File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in
__call__
    (Object: insert_seminar_do)
  File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
502, in __call__
    (Object: insert_seminar_do)
  File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
in eval
    (Object: insert_seminar(REQUEST))
    (Info: REQUEST)
  File <string>, line 0, in ?
  File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in
__call__
    (Object: insert_seminar)
  File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
502, in __call__
    (Object: <string>)
  File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
in eval
    (Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee']))
    (Info: REQUEST)
  File <string>, line 0, in ?
NameError: (see above)

--  >