[Zope] Zope Data Access Flaw?
Randall F. Kern
randy@spoke.net
Tue, 1 May 2001 15:01:42 -0700
BTW, this is fixed recent builds (like 2.3.1)
-Randy
> -----Original Message-----
> From: Casey Duncan [mailto:cduncan@kaivo.com]
> Sent: Tuesday, May 01, 2001 2:53 PM
> To: Brian Withun
> Cc: Zope mailing list
> Subject: Re: [Zope] Zope Data Access Flaw?
>=20
>=20
> Brian Withun wrote:
> >=20
> > I am using 2.1.4 (linux), and have stumbled across this=20
> little quirk...
> >=20
> > Create a ZSQL Method as follows:
> >=20
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > SELECT <dtml-var "_.whrandom.randint(1000,9999)"> AS random_value
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >=20
> > (Our ZSQL Method is connected to Sybase, but this works on=20
> MySQL as well)
> >=20
> > Then, simply test the ZSQL Method.
> >=20
> > Here's what I get:
> >=20
> > Random value
> > ----------------
> > 2754
> >=20
> > SQL used:
> > select 7684 as random_value
> >=20
> > 2754 is clearly not the same as 7684.
> >=20
> > This is quite repeatable, with different random numbers each time.
> > This works as expected if I replace the whrandom call with=20
> a constant,
> > but I can't imagine how whrandom can be the culprit.
> >=20
> > Bri=E1n Withun
>=20
> This is happening because Zope replays the method when it displays the
> SQL after testing it. So, randint is being called twice. Once to send
> the SQL code to the database and once more to display it on=20
> the screen.
>=20
> --=20
> | Casey Duncan
> | Kaivo, Inc.
> | cduncan@kaivo.com
> `------------------>
>=20
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -=20
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>=20