[Zope] Re: Zope SQL injection

Maik Jablonski maik.jablonski at uni-bielefeld.de
Fri Mar 18 12:32:26 EST 2005


Andy Yates wrote:
> Could somebody either point me to an article or explain what precautions 
> should be taken to prevent SQL injection in Zope.  If user entered form 
> data is passed to a ZSQL method does something automajically db escape 
> the data or is the programmer responsible for doing this.  If the 
> programmer is responsible, how is it done in Zope?  Thanks!

Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>. 
<dtml-sqlvar> is escaping the parameter automagically, so nobody can 
inject malicious code... at least I hope so...;)

Cheers, Maik



More information about the Zope mailing list