[Zope] Saturday morning SELECT

ender kthangavelu@earthlink.net
Sat, 10 Mar 2001 03:11:16 -0800


On Saturday 10 March 2001 01:14, Paz wrote:
>>Morning/Afternoon/Night,
>>
>>Lazy Saturday morning, and I can't be bothered to leave the house. I've
>> made a little template, but Im wondering if its Pandora's box...
>>
>>>ZSQL Method<
>>
>>select:required
>>as:optional
>>from:required
>>where:optional
>>
>>select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if>
>>from <dtml-var from>
>><dtml-if "where">where <dtml-var where></dtml-if>
>><dtml-if "operand"><dtml-var operand></dtml-if>
>><dtml-if "equals"><dtml-var equals></dtml-if>
>>
>>It renders any way you please... Obviously you need very tight security on
>>this as to who can access it... But other than using AUTHENTICATED_USER, is
>>there any possible way you might exploit this? I have a habit of doing most
>>of my work in the db, and something like this would totally ease the way I
>>build forms.....

this is suicidal, IMO, in oracle i might try (obviously untested)
select == '1 from dual; drop table users cascade;'

you should try to use sqlvars in sqlmethods.

if you're just using it for development, maybe, but it seems rather risky to 
me for anything production.

cheers kapil