[Zope] Re: Zope SQL injection
Maik Jablonski
maik.jablonski at uni-bielefeld.de
Fri Mar 18 12:32:26 EST 2005
Andy Yates wrote:
> Could somebody either point me to an article or explain what precautions
> should be taken to prevent SQL injection in Zope. If user entered form
> data is passed to a ZSQL method does something automajically db escape
> the data or is the programmer responsible for doing this. If the
> programmer is responsible, how is it done in Zope? Thanks!
Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>.
<dtml-sqlvar> is escaping the parameter automagically, so nobody can
inject malicious code... at least I hope so...;)
Cheers, Maik
More information about the Zope
mailing list