[Zope] User-controlled report sorting with Z SQL Methods

[Dieter Maurer]

Andy Dustman writes:
 > ...
 > SELECT ...
 > <dtml-var doOrderBy>
 > 
 > However, nothing stops a malicious user from passing in doOrderBy on the
 > form, which may do Very Bad Things. But, due to the DTML namespace, the
 > client object is always on top of REQUEST, so any passed-in doOrderBy will
 > not be seen (unless using <dtml-with REQUEST only>).
Do not be afraid:

  Only the arguments you specified in the argument list
  are taken from REQUEST. All other variables must
  be available via acquisition or a bad request exception
  is raised.


Dieter