[Zope-DB] ZSQL Method security concern
Sun, 14 Apr 2002 23:52:06 +0200
Charlie Reiman writes:
> I have a bunch of queries I need to make for my product. These look like:
> select sum(thing1) from the_big_table where something...
> select sum(thing2) from the_big_table where something...
> select sum(thing3) from the_big_table where something...
> select sum(thing4) from the_big_table where something...
> I have this set up as a single ZSQL Method with a template like this:
> select sum(<dtml-var field>) from the_big_table where <dtml-var expr>
> This is insecure since I should be using dtml-sqlvar to escape suspect
> strings. Fine and dandy, except dtml-sqlvar is used for inserting SQL field
Let you forms pass just the minimal information necessary to
build your queries.
The DTML in your ZSQL method would be
"buildQuery" would be a Python Script that looks at REQUEST
and builds the correct select statement.