[Zope] ZSQL security restriction with Zope 2-1-6 ?
Francois-Regis CHALAOUX
Francois-Regis.CHALAOUX@sanofi-synthelabo.com
Fri, 28 Apr 2000 11:42:00 +0200
Date: 04/27/2000 05:09 pm (Thursday)
From: Francois-Regis CHALAOUX
To: INET:zope@zope.org
Subject: ZSQL security restriction with Zope 2-1-6 ?
Hi All,
Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!!
I create a little application to manage seminars. All the methods to consult
these seminars work but all the method to upgrade, create, delete return now
ERRORS. My DB is Gadfly.
Should I come back to 2.1.2 ? Should I change something in my code? Should I
modify Zope-2.1.6?
Help, please.
FR
===========
Environment
===========
Linux Suse-6.2
Python 5.2
Zope-2.1.6 upgrade from Zope-2.1.2 with patch
Zope-2.1.x-to-2.1.6-linux2-x86.tgz
Gadfly
===========
Bellow you can find the code of an example and the associated ERROR :
==========================
DTML Document saisies.html
==========================
<FORM ACTION="insert_seminar_do" METHOD="POST">
Blablabla ....
</FORM>
===============================
DTML Document insert_seminar_do
===============================
Blablabla ...
<!--#call "insert_seminar(REQUEST)"-->
Blablabla ...
=========================
SQL Method insert_seminar
=========================
Arguments : titre type jour numero mois annee heure minute nomconf prenomconf
titreconf adresseconf lieu nomhote prenomhote url
insert into seminar (id,
titre,
type,
jour, numero,mois,annee,heure,minute,floatdate,
nomconf, prenomconf, titreconf, adresseconf,
lieu,
nomhote, prenomhote,
url)
select max(id)+1,
<!--#sqlvar titre type=string-->,
<!--#sqlvar type type=string-->,
<!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois
type=int-->,
<!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->,
<!--#sqlvar minute type=string-->,
<!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->,
<!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->,
<!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->,
<!--#sqlvar lieu type=string-->,
<!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->,
<!--#sqlvar url type=string-->
from seminar
=============================
tofltdate is an external method.
=============================
import string
import sys
from DateTime import *
def tofltdate(numero,mois,annee):
datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'')
f = DateTime(datum)
return float(f)
########################
Error type: NameError
Error value: REQUEST
-->
</TD></TR></TABLE>
</TD>
</TR>
<TR>
<TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2"
WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150"
HEIGHT="26" BORDER="0"></TD>
<TD ALIGN=CENTER>
<HR NOSHADE SIZE="0">
<p class="footlink" align="center">
<A
HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable
Page</A>
<A
HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a>
<A
HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML
Source</a>
</p></TD>
</TR>
</TABLE>
</BODY>
</HTML>
<!--
Traceback (innermost last):
File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in
publish_module
File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in
publish
File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in
zpublisher_exception_hook
(Object: ElementWithAttributes)
File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in
publish
File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: insert_seminar_do)
File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in
call_object
(Object: insert_seminar_do)
File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in
__call__
(Object: insert_seminar_do)
File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
502, in __call__
(Object: insert_seminar_do)
File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
in eval
(Object: insert_seminar(REQUEST))
(Info: REQUEST)
File <string>, line 0, in ?
File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in
__call__
(Object: insert_seminar)
File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
502, in __call__
(Object: <string>)
File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
in eval
(Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee']))
(Info: REQUEST)
File <string>, line 0, in ?
NameError: (see above)
-- >