[Zope] MySQL queries in Python
Paul Winkler
pw_lists at slinkp.com
Tue Aug 1 20:29:14 EDT 2006
On Tue, Aug 01, 2006 at 02:50:19PM -0400, Muk Yan wrote:
> Dear Coveted Braintrust,
>
> I was wondering if anyone had any experience with MySQL queries in Python in
> Zope:
People have already answered your main question, but:
> SELECT name
> FROM person
> WHERE ID = <dtml-var "REQUEST.SESSION.get('person_id')">
Never ever pass raw user input to a sql query! If you're not familiar
with the phrase "sql injection"... google it :)
The zope book relational databases chapter explains how to use
<dtml-sqlvar> which is one way to avoid the danger.
--
Paul Winkler
http://www.slinkp.com
More information about the Zope
mailing list