It is not safe if you have malicious users. You will need to pass your
dtml-var name="search_field" through a filter. This will help. A better
example is a user taking advantage of an insert method:
insert into data values (dtml-var name="value_1", dtml-var
name="value_2", dtml-var name="value_3")
where the user has found the Zsqlmethod by looking at
http://yourzopehost/objectIds and calls it like this:
http://yourzopehost/sqlADDUSER?value_3=randomvalue);SELECT%20*%20FROM%20secr
etpasswordtable/
Fortunately, Zope responds with a "testing the sql method" form if you are
authorized.
Troy
-Original Message-
From: Mark Twiddy [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 20, 2000 3:22 AM
To: [EMAIL PROTECTED]
Subject: Re: [Zope] dtml-sqlvar quote
Hi all thanks for the help.
Just on that. Is it safe to do
select * from data where dtml-var
search_field like '%dtml-var search_term
as search_term could contain '; drop table blah; ' or what ever.
I thought by using dtml-sqlvar you could use untrusted values.
Thanks again
Mark
On Fri, 20 Oct 2000, Tony McDonald wrote:
Hi all
How can i pass a string to a sql method that won't be quoted.
i.e so i can do somthing like this
.
group by foo,blah
order by dtml-sqlvar spam
thanks mark
don't quote it?
...
order by dtml-var spam
I use this all the time for things like
select * from data where dtml-var search_field like '%dtml-var
search_term%'
tone
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )