[Zope] Dynamic ordering of DTML-IN?

Andrew Kenneth Milton akm@mail.theinternet.com.au
Wed, 24 Jan 2001 01:10:17 +1000


+-------[ Oliver Bleutgen ]----------------------
| > Then change your Z SQL Method to look like;
| 
| > select * from Customers where
| > foofield=<dtml-sqlvar search type=string>
| > <dtml-if orderby>
| > ORDER BY <dtml-var orderby>
| > </dtml-if>
| 
| Hmm, I wouldn't do that, you're trusting the client here,
| imagine someone going to 
| 
| http://yourserver/staff?orderby=firstname%20;%20delete from Customers;

You always validate external input, especially in a web environment.
I didn't think it was necessary to spell that out.

-- 
Totally Holistic Enterprises Internet|  P:+61 7 3870 0066   | Andrew Milton
The Internet (Aust) Pty Ltd          |  F:+61 7 3870 4477   | 
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068    |akm@theinternet.com.au|