[Zope] usage of dtml-sqltest tag in Zsql method
Dieter Maurer
dieter@handshake.de
Wed, 23 Jul 2003 20:40:11 +0200
Anitha George wrote at 2003-7-23 07:08 +0000:
> Someone please help me out with this:
>
> I am passing a string in this format (215,216) from the python script to
> the Zsql method.
> The SQl query should have the following form:
> select * from employees where id in (215,216)
> but is as follows:
> select * from employees where id in '(215,216)' which does not give the
> required result.The id is of data type string/nb. It doesnt accept integer
> values.
"dtml-sqltest multiple" works as you expect only when the value is a sequence
(list or tuple or something like this). For a string, it (correctly)
behaves as you observe.
You can use:
... id in <dtml-var YourParameter sql_quote> ...
Be warned that the use of "dtml-var" poses a potential security
risk. Most databases provide some way to enter several canned
SQL commands, e.g. separated by ";".
When you have such a DB and someone can control "YourParameter",
he may pass (e.g.) "(123); delete from TABLE" and the rows
in "TABLE" were gone.
The "sql_quote" above should prevent this, but I am not sure
that is will escape the ";" in the example.
Dieter