[Zope] Re: Zope SQL injection

Andy Yates andy at nnu.com
Fri Mar 18 12:56:20 EST 2005


> 
> Andy Yates wrote:
> > Could somebody either point me to an article or explain what
precautions
> > should be taken to prevent SQL injection in Zope.  If user entered
form
> > data is passed to a ZSQL method does something automajically db
escape
> > the data or is the programmer responsible for doing this.  If the
> > programmer is responsible, how is it done in Zope?  Thanks!
> 
> Don't use <dtml-var> in ZSQL-Methods, use only <dtml-sqlvar>.
> <dtml-sqlvar> is escaping the parameter automagically, so nobody can
> inject malicious code... at least I hope so...;)
> 
> Cheers, Maik
> 

Right, I use <dtml-sqlvar>.  Now that I read the manual ;-) I clearly
see that is what the dtml-sqlvar prevents.  Thanks!  There has been a
lot of buzz about sql injection lately for some reason and I just wanted
to make double sure I understand the basics.




More information about the Zope mailing list