[Zope] Re: dynamic sql query
Eugen Nedelcu
eugen@sifolt.ro
Thu, 30 Jan 2003 14:35:10 +0200
On Thu, Jan 30, 2003 at 12:21:55PM +0000, Ben Avery wrote:
> Eugen,
>
> you can't easily do what you're trying to, safely. the <dtml-sqlvar ...>
> was created so that the variable substitution methods couldn't be
> maliciously used by people passing in a paramter of e.g. "3;drop
> database mydb", which would terminate the first sql statement, then make
> a new arbitrary one.
>
I am aware of that.
> personally, I have a created a method for each table, e.g.
> delete from employee where <dtml-sqltest emp_id multiple>
>
> It is a pain to do this, but it's the only way without opening up your> system to major risks.
My application is one like Webmin or PHPMyAdmin, so it must be generic!
--
ICQ: 165549179