[Zope-DB] dynamic SQL

Fernando Martins fmartins@hetnet.nl
Wed, 9 Apr 2003 13:10:25 +0200

Thanks for replying,
> It is quite easy.  But you really, really, really don't want to do it.
> zsql method
> variable_sql
> parameter
> command
> body
> <dtml-var command>

It took me a while to understand what you mean with this list of items. So,
for the record, the idea is to create a zsql method called variable_sql with
a parameter called command and a body having only <dtml-var command>. The
zsql is called with a complete SQL statement from wherever you want.

> Now, what is wrong with this?
> Well, you have no security, whatsoever.  Anyone who can access method
> variable_sql can do anything that they want to our database.  Even if
> you somehow limit access to the method, you can't stop SQL injection.
> And you can't debug the SQL, since you have no idea of what will be
> executed.

Well, in my case is for an Intranet and it's essentially a prototype.

> Go to the trouble now.  It will reduce your trouble later.



PS: thanks also to Michal.