[Zope] Re: dynamic sql query

Ben Avery ben@thesite.org
Thu, 30 Jan 2003 12:21:55 +0000


Eugen,

you can't easily do what you're trying to, safely. the <dtml-sqlvar ...> 
was created so that the variable substitution methods couldn't be 
maliciously used by people passing in a paramter of e.g. "3;drop 
database mydb", which would terminate the first sql statement, then make 
a new arbitrary one.

personally, I have a created a method for each table, e.g.
delete from employee where <dtml-sqltest emp_id multiple>

It is a pain to do this, but it's the only way without opening up your 
system to major risks. I believe there are products which will generate 
a batch of zsql methods for you - someone help point the way here please?
Or you could write a python script which does its own checking of 
parameters sent for safety, and against "safe" lists of tables, etc, and 
which then calls a zsql method with "unsafe" dtml-var substitutions.
Or if your really sure it couldn't be called maliciously, just go for it!
delete from <dtml-var database>.<dtml-var table>
where <dtml-var id_col> in
( <dtml-in id_list>
    <dtml-var sequence-item>,
   </dtml-in> )

Ben

Eugen Nedelcu wrote:
> On Thu, Jan 30, 2003 at 12:51:39PM +0100, martin f krafft wrote:
> 
>>first, shouldn't you be using dmtl-sqlvar? and second, i think the
>>problem is that dtml-var returns a string, which is single-quoted.
>>you'll need to fine a type="" argument for dtml-sqlvar that renders
>>unquoted characters.
> 
> 
> I don't think you understand my problem...
> I need to pass this arguments to my zsql method:
> 
> 1. database - string - the name of the database
> 2. table - string - the name of the table
> 3. pri - string - the name of the primary_key column
> 4. tuple_pri - tuple - a tuple with primary_keys of the rows
> 	which will be deleted.
> 
> In sql the query would be (i.e): 
> 
> delete from test.test where id in (1,3,7,9)
> 
> A zsql method like this:
> 
> delete from <dtml-var database>.<dtml-var table> where
> <dtml-sqltest id type=nb op=eq multiple>
> 
> will work if the name of the primary_key is id, but I
> want to pass that column name myself.
> 
> Hope that this make things more clear.
> Best regards.
>