[Zope] Re: dynamic sql query

Jim Penny jpenny@universal-fasteners.com
Thu, 30 Jan 2003 10:45:14 -0500


On Thu, Jan 30, 2003 at 01:33:15PM +0100, Dieter Fischer wrote:
> Hello
> 
> This is an example of exUserFolder, it should also work for your problem:
> 
> Arguments:
> 
> table=adressen
> usernameColumn=dbusername
> username:string
> 
> SQL:
> 
> DELETE FROM <dtml-var table>
> where <dtml-var usernameColumn>=<dtml-sqlvar username type=string>

Better would be, in that it still prevent s SQL injection:

DELETE FROM <dtml-var table sql_quote>
where <dtml-var usernameColumn sql_quote>=<dtml-sqlvar username type=string>

But, I agree with everyone else in this thread.  This is a horrid
design; suitable for use only inside a firewall with a highly trusted
audience.  It is far better to write many controllable and auditable SQL
methods than a few generalized ones that cannot be trusted.

And I do not really buy the "it must be general" idea.  That would be
true only if you are allowing end users to create new tables, and then
you would not know enough of the structure to present the results of a
select, anyway.

Jim Penny