[Zope-DB] Re: dynamic SQL

Michal Kurowski mkur@poczta.gazeta.pl
Wed, 9 Apr 2003 02:00:47 +0200

Jim Penny [jpenny@universal-fasteners.com] wrote:
> Well, you have no security, whatsoever.  Anyone who can access method
> variable_sql can do anything that they want to our database.  Even if
> you somehow limit access to the method, you can't stop SQL injection.
> And you can't debug the SQL, since you have no idea of what will be
> executed.
> Go to the trouble now.  It will reduce your trouble later.

Well said.

But you might want to check some Zope products out:



Michal Kurowski