[Zope] safe strings in calling SQL
Reinoud van Leeuwen
reinoud@xs4all.nl
Wed, 18 Jul 2001 21:03:15 GMT
Hi,
I am implementing a search form where some strings will be used in SQL
methods.
I does not seem to be very safe to use a construct like
select record
from table
where field like "%<dtml-var string_from_form>"
because of the obvious hack where somebody fills in a string like:
bla"; drop table important_table;
Zope does contain some features where I can limit the imput to fields
in forms, but the users really want to search for a string value.
Is there any product for this?
(Zope 2.3.3 on FreeBSD 4.2 connecting to PostgreSQL 7.1)
--=20
__________________________________________________
"Nothing is as subjective as reality"
Reinoud van Leeuwen reinoud@xs4all.nl
http://www.xs4all.nl/~reinoud
-> when replying to a mailinglist mail, please do <-
-> *NOT* cc: me as well. If I read the list I will <-
-> recieve the reply as well! <-
__________________________________________________