[Zope] Re: Zope SQL injection
Jim Penny
jpenny at universal-fasteners.com
Fri Mar 18 12:48:24 EST 2005
>Andy Yates wrote:
>> Could somebody either point me to an article or explain what
>> precautions should be taken to prevent SQL injection in Zope. If
>> user entered form data is passed to a ZSQL method does something
>> automajically db escape the data or is the programmer responsible
>>for
>> doing this. If the programmer is responsible, how is it done in
>> Zope? Thanks!
>Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>.
><dtml-sqlvar> is escaping the parameter automagically, so nobody can
>inject malicious code... at least I hope so...;)
>Cheers, Maik
OK, this is pretty close. Use dtml-sqlvar whenever possible.
dtml-sqlvar will sql_quote things declared string for you, and will
through an exception if something declared float or integer can't be
evaluated.
Unfortunately, there are some fairly common cases where dtml-sqlvar
won't work. The best example is when using a LIKE clause.
select * from foo where field like <dtml-sqlvar stuff type=string>%
will render as
select * from foo where field like 'sql_quoted_form_of_stuff'%
which is syntactically incorrect.
You have to use
select * from foo where field like '<dtml-var stuff sql_quote>%'
Do not sql_quote numeric items, always use dtml-sqlvar, as sql_quote
really just affects quoting, and does not escape semi-colon.
More information about the Zope
mailing list