[Zope-DB] Using <dtml-var>s in ZSQL methods?

Charlie Clark charlie at egenix.com
Mon Jun 18 16:44:04 EDT 2007

Am 18.06.2007, 22:10 Uhr, schrieb Ken Winter <ken at sunward.org>:

> Thanks Charlie & Jim ~
> SQL injection is a new one on me, and I'm glad to learn about it now
> (painlessly) rather than later (painfully).

Preventing SQL injection for non-savvy users (and letting them learn about  
it later when they might understand it better) is probably the single  
greatest reason for using ZSQL and Zope to integrate external RDBMS's.  
It's worth remembering that it was developed before bound parameters were  
generally supported and has unfortunately been somewhat neglected since.  
If you're going to want to manage and reuse your SQL calls then I would  
highly recommend you stick with ZSQL and <dtml-sqlvar ...> until you are  
more comfortable with Zope in general: it's easy to rack up twenty or  
thiry *completely* different SQL statements in a site and not need to look  
at them again for a couple of years. Then, when you have to, it's  
incredibly wonderful being able to review and test them individually.

Charlie Clark

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::

     eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope-DB mailing list