[Zope-DB] Using <dtml-var>s in ZSQL methods?
charlie at egenix.com
Mon Jun 18 16:44:04 EDT 2007
Am 18.06.2007, 22:10 Uhr, schrieb Ken Winter <ken at sunward.org>:
> Thanks Charlie & Jim ~
> SQL injection is a new one on me, and I'm glad to learn about it now
> (painlessly) rather than later (painfully).
Preventing SQL injection for non-savvy users (and letting them learn about
it later when they might understand it better) is probably the single
greatest reason for using ZSQL and Zope to integrate external RDBMS's.
It's worth remembering that it was developed before bound parameters were
generally supported and has unfortunately been somewhat neglected since.
If you're going to want to manage and reuse your SQL calls then I would
highly recommend you stick with ZSQL and <dtml-sqlvar ...> until you are
more comfortable with Zope in general: it's easy to rack up twenty or
thiry *completely* different SQL statements in a site and not need to look
at them again for a couple of years. Then, when you have to, it's
incredibly wonderful being able to review and test them individually.
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
More information about the Zope-DB