[Zope] Re: dynamic sql query
Ben Avery
ben@thesite.org
Thu, 30 Jan 2003 12:52:21 +0000
then to do it safely you would have to either to modify the source of
sqlvar ([zope_base]/lib/python/Shared/DC/ZRDB/sqlvar.py) to give you a
non-quoted type to use for table etc names [slight case of overkill], or
call a generic python method with your values, which can do any checks
for safety you need, e.g. make sure there are no ';'s, then that script
calls your zsql method with the checked parameters. But make sure your
zsql method can only be called by the python script - give it a local
contextual role, and only let this role call the zsql method.
Eugen Nedelcu wrote:
> On Thu, Jan 30, 2003 at 12:21:55PM +0000, Ben Avery wrote:
>
>>Eugen,
>>
>>you can't easily do what you're trying to, safely. the <dtml-sqlvar ...>
>>was created so that the variable substitution methods couldn't be
>>maliciously used by people passing in a paramter of e.g. "3;drop
>>database mydb", which would terminate the first sql statement, then make
>>a new arbitrary one.
>>
>
>
> I am aware of that.
>
>
>>personally, I have a created a method for each table, e.g.
>>delete from employee where <dtml-sqltest emp_id multiple>
>>
>>It is a pain to do this, but it's the only way without opening up your> system to major risks.
>
>
> My application is one like Webmin or PHPMyAdmin, so it must be generic!
>