[Zope] RDBMS Applications and direct calling of script(python) and sql methods

Eric Merritt cyberlync at yahoo.com
Thu Oct 9 16:36:41 EDT 2003


I am looking to use zope for a database driven web
application. For the most part zope looks like a good
fit and will definatly speed up development. However,
there seems to be a major security issue for database
driven sites. 

 Lets take simple example, assume that each user has
an id that is keyed to his 'stuff'. The zsql method
must be passed this id to access his stuff. This is
all fine and good, A script(python) method could
provide this to the zsql method behind the scenes
without any great issue. The problem comes in when the
user attempts to access this zsql method from via its
url. Going this route he could pretty easily supply
and arbitrary id and get access to information that he
shouldn't have.

This assumes that the user is aware of or can guess
the name of the zsql method. This isn't enough of a
protection in my mind.

I am sorry if I wasn't super coherent in this post, I
had a very long day and late night last night.

Thanks for the input,
Eric

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com



More information about the Zope mailing list