[Zope] dtml-sqlvar quote

Farrell, Troy troy.farrell@wilcom.com
Fri, 20 Oct 2000 12:59:14 -0500


It is not safe if you have malicious users.  You will need to pass your
<dtml-var name="search_field"> through a filter.  This will help.  A better
example is a user taking advantage of an insert method:

insert into data values (<dtml-var name="value_1">, <dtml-var
name="value_2">, <dtml-var name="value_3">)

where the user has found the Zsqlmethod by looking at
http://yourzopehost/objectIds and calls it like this:
http://yourzopehost/sqlADDUSER?value_3=randomvalue);SELECT%20*%20FROM%20secr
etpasswordtable/
Fortunately, Zope responds with a "testing the sql method" form if you are
authorized.

Troy

-----Original Message-----
From: Mark Twiddy [mailto:vtwiddy@senet.com.au]
Sent: Friday, October 20, 2000 3:22 AM
To: zope@zope.org
Subject: Re: [Zope] dtml-sqlvar quote



Hi all thanks for the help.

Just on that. Is it safe to do 

select * from data where <dtml-var
search_field> like '%<dtml-var search_term>

as search_term could contain  '; drop table blah; ' or what ever.
I thought by using <dtml-sqlvar > you could use untrusted values.

Thanks again

Mark

On Fri, 20 Oct 2000, Tony McDonald wrote:

> >
> >Hi all
> >
> >How can i pass a string to a sql method that won't be quoted.
> >
> >i.e so i can do somthing like this
> >
> >.....
> >group by foo,blah
> >order by <dtml-sqlvar spam>
> >
> >
> >thanks mark
> > 
> 
> don't quote it?
> 
> ...
> order by <dtml-var spam>
> 
> 
> I use this all the time for things like
> 
> select * from data where <dtml-var search_field> like '%<dtml-var
search_term>%'
> 
> tone
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )