[Zope] variable SQL statements - from external methods

Jim Penny jpenny@universal-fasteners.com
Tue, 18 Sep 2001 17:35:44 -0400


On Tue, Sep 18, 2001 at 03:32:39PM -0600, ed colmar wrote:
> Hi All.
> 
>     Jim and several others were helping me to get my variable SQL methods
> working right.  They're great and do everything I want form the test window.
> When I call them from my external method, they come back with a REQUEST
> error.
> 
> This is how I call it:
This has not been tested, an I make no representation that it works.
try:
> 
> mastertablename = "sometablename"
> self.SQL_create_master_table(mastertablename=mastertablename)

  REQUEST.set('mastertablename', 'sometablename')
  self.SQL_create_master_table(mastertablename=mastertablename)

or maybe (if you have not a REQUEST at hand)

  self.REQUEST.set('mastertablename', 'sometablename')
  self.SQL_create_master_table(mastertablename=mastertablename)


> 
> Then I get:
> 
> Error Type: Bad Request
> Error Value: ['mastertablename']
> 
> Whats the syntax to shove this variable and it's value inside the request?
> Or am I doing something else wrong?
> 
> Thanks everyone!
> 
> -ed-
> 

Again, just so everyone is aware.  You  have to do your own
enforcement and/or quote checking if you do this.  You want
to be real sure that the user cannot supply something like
'table test (garbage text); drop table my_lifes_work'
as the value for mastertablename.  At the very least you want
to reject any names with semicolons or periods, and probably want
mastertablename to be a span of [a-z0-9].

> > CREATE TABLE <dtml-var mastertablename>
> > (
> > ....
> > )
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>