[Zope] Bug in PostGre adapter for Zope, for type string in arguments of ZSQL Methods (?)
Tom Jenkins
tjenkins@devis.com
Thu, 23 Aug 2001 18:51:36 -0400
Andreas Heckel wrote:
>>I have tried some another ways to access the query:
>>select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>';
>>...
>>I need the Help. Every comments can help me. Thanks.
>>
>
> select * from table_name where table_field2='<dtml-var argument2>'
>
> or
>
> select * from table_name where table_field2='<dtml-var
> "_.str(argument2)">'
>
ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>.
What if argument2 was set to "43;drop database mydatabase" ? yep
you'd get a select but your database would be erased. <dtml-sqlvar>
does checks to keep this type of attack from happening
--
Tom Jenkins
devIS - Development Infostructure
http://www.devis.com