[Zope] Storing DTML in SQL

Richard Harley richard at scholarpack.com
Wed Aug 18 12:43:26 EDT 2010


On 18/08/10 17:38, Andrew Milton wrote:
> +-------[ Garry Saddington ]----------------------
> | Andrew Milton wrote:
> |>  +-------[ Garry Saddington ]----------------------
> |>  | Garry Saddington wrote:
> |>  |>  Justin Dunsworth wrote:
> |>  |>>  I am currently working on a project where I am storing HTML within a
> |>  |>>  MySQL database to display dynamic pages and content in sequences. I
> |>  |>>  would like to be able to store DTML within the tables as well and be
> |>  |>>  able to call them within the page to display that content. I tried
> |>  |>>  mixing the DTML in with the HTML and it shows the HTML correctly but no
> |>  |>>  DTML.
> |>  |>>
> |>  |>>  Is it possible to even do this? Are there other suggestions on how to go
> |>  |>>  about this?
> |>  |>
> |>  |>  The closest I have found is on Zopelabs
> |>  |>  (http://www.zopelabs.com/cookbook/1078612026)
> |>  |
> |>  | Sorry wrong recipe try this:
> |>  |
> |>  | http://www.zopelabs.com/cookbook/993850737/1011691351
> |>
> |>  Do I really have to explain why that particular recipe is a bad idea? d8)
> |>
> | Just trying to be helpful. I did say that it was the only thing I can
> | find and I did not recommend it.
> | If you would care to share the problems of the recipe on the list then I
> | am sure all those reading who are new to Zope would benefit;)
>
> Since python scripts are web callable and something has to be passed
> in... The phrase "execute arbitrary code" is nearly always quickly
> followed by the phrase "remote exploit" and lots of sad faces (and
> then some finger pointing d8)
>
>    
If that is the case, aren't all python scripts within Zope potentially 
exploitable?


More information about the Zope mailing list