[Zope] Passing python generated SQL to ZSQL in a DTML method

Jim Penny jpenny at universal-fasteners.com
Mon Nov 17 12:54:10 EST 2003


On Mon, 17 Nov 2003 10:44:39 -0700
hpinson at indepthl.com wrote:

> Hi. I have a dynamic Python generated SQL string which is available 
> to a dtml-method page:
> 
> <dtml-var generated_sql> parses to: select item_id from items
> 
> I want to pass that string to a ZSQL method named: sqlMethod
> 
> with the argument: the_sql
> 
> and the content: <dtml-var the_sql>
> 
> In a dtml method i want to call sqlMethod, pass the generated_sql to 
> it, and return the results, that is:
> 
> <dtml-in sqlMethod>
>   <dtml-var item_id>
> <dtml-in>
> 
> Any suggestions on how to approach this?

Yes, don't.  

You have unlimited potential for SQL injection.

This means that anyone who can access your application can modify any
record whose table name can be guessed.  They can also probably delete
tables, and may be able to build tables.  You probably don't want this.

The idea of dynamic SQL appears to be something that every Zope beginner
comes to, sooner or later.  I know it happened to did, and I even wrote
a HOWTO on doing this.  It is a bad idea.  Instead of trying to
construct the minimum number of ZSQL methods, try to build the minimum
number of secure methods.  You will sleep much better.

Jim Penny



More information about the Zope mailing list