[Zope] Re: Zope SQL injection
Andy Yates
andy at nnu.com
Fri Mar 18 12:56:20 EST 2005
>
> Andy Yates wrote:
> > Could somebody either point me to an article or explain what
precautions
> > should be taken to prevent SQL injection in Zope. If user entered
form
> > data is passed to a ZSQL method does something automajically db
escape
> > the data or is the programmer responsible for doing this. If the
> > programmer is responsible, how is it done in Zope? Thanks!
>
> Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>.
> <dtml-sqlvar> is escaping the parameter automagically, so nobody can
> inject malicious code... at least I hope so...;)
>
> Cheers, Maik
>
Right, I use <dtml-sqlvar>. Now that I read the manual ;-) I clearly
see that is what the dtml-sqlvar prevents. Thanks! There has been a
lot of buzz about sql injection lately for some reason and I just wanted
to make double sure I understand the basics.
More information about the Zope
mailing list