[Zope] Bug in PostGre adapter for Zope, for type string in arguments of ZSQL Methods (?)

Tom Jenkins tjenkins@devis.com
Thu, 23 Aug 2001 18:51:36 -0400


Andreas Heckel wrote:
>>I have tried some another ways to access the query:
>>select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>';
>>...
>>I need the Help. Every comments can help me. Thanks.
>>
> 
> select * from table_name where table_field2='<dtml-var argument2>'
> 
> or
> 
> select * from table_name where table_field2='<dtml-var
> "_.str(argument2)">'
> 

ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>. 
  What if argument2 was set to "43;drop database mydatabase" ?  yep 
you'd get a select but your database would be erased.  <dtml-sqlvar> 
does checks to keep this type of attack from happening


-- 
Tom Jenkins
devIS - Development Infostructure
http://www.devis.com