[Zope] Re: dynamic sql query

Ben Avery ben@thesite.org
Thu, 30 Jan 2003 12:52:21 +0000


then to do it safely you would have to either to modify the source of 
sqlvar ([zope_base]/lib/python/Shared/DC/ZRDB/sqlvar.py) to give you a 
non-quoted type to use for table etc names [slight case of overkill], or 
call a generic python method with your values, which can do any checks 
for safety you need, e.g. make sure there are no ';'s, then that script 
calls your zsql method with the checked parameters. But make sure your 
zsql method can only be called by the python script - give it a local 
contextual role, and only let this role call the zsql method.

Eugen Nedelcu wrote:
> On Thu, Jan 30, 2003 at 12:21:55PM +0000, Ben Avery wrote:
> 
>>Eugen,
>>
>>you can't easily do what you're trying to, safely. the <dtml-sqlvar ...> 
>>was created so that the variable substitution methods couldn't be 
>>maliciously used by people passing in a paramter of e.g. "3;drop 
>>database mydb", which would terminate the first sql statement, then make 
>>a new arbitrary one.
>>
> 
> 
> I am aware of that.
> 
> 
>>personally, I have a created a method for each table, e.g.
>>delete from employee where <dtml-sqltest emp_id multiple>
>>
>>It is a pain to do this, but it's the only way without opening up your> system to major risks.
> 
> 
> My application is one like Webmin or PHPMyAdmin, so it must be generic! 
>