Re: [Zope] dtml-sqlvar quote

[Tony McDonald]

Hi all

How can i pass a string to a sql method that won't be quoted.

i.e so i can do somthing like this

.
group by foo,blah
order by dtml-sqlvar spam


thanks mark
 

don't quote it?

...
order by dtml-var spam


I use this all the time for things like

select * from data where dtml-var search_field like '%dtml-var search_term%'

tone


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] dtml-sqlvar quote

[Farrell, Troy]

It is not safe if you have malicious users.  You will need to pass your
dtml-var name="search_field" through a filter.  This will help.  A better
example is a user taking advantage of an insert method:

insert into data values (dtml-var name="value_1", dtml-var
name="value_2", dtml-var name="value_3")

where the user has found the Zsqlmethod by looking at
http://yourzopehost/objectIds and calls it like this:
http://yourzopehost/sqlADDUSER?value_3=randomvalue);SELECT%20*%20FROM%20secr
etpasswordtable/
Fortunately, Zope responds with a "testing the sql method" form if you are
authorized.

Troy

-Original Message-
From: Mark Twiddy [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 20, 2000 3:22 AM
To: [EMAIL PROTECTED]
Subject: Re: [Zope] dtml-sqlvar quote



Hi all thanks for the help.

Just on that. Is it safe to do 

select * from data where dtml-var
search_field like '%dtml-var search_term

as search_term could contain  '; drop table blah; ' or what ever.
I thought by using dtml-sqlvar  you could use untrusted values.

Thanks again

Mark

On Fri, 20 Oct 2000, Tony McDonald wrote:

 
 Hi all
 
 How can i pass a string to a sql method that won't be quoted.
 
 i.e so i can do somthing like this
 
 .
 group by foo,blah
 order by dtml-sqlvar spam
 
 
 thanks mark
  
 
 don't quote it?
 
 ...
 order by dtml-var spam
 
 
 I use this all the time for things like
 
 select * from data where dtml-var search_field like '%dtml-var
search_term%'
 
 tone
 
 
 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists - 
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )
 


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] dtml-sqlvar quote

[Curtis Maloney]

On Fri, 20 Oct 2000, Mark Twiddy wrote:
 Hi all

 How can i pass a string to a sql method that won't be quoted.

 i.e so i can do somthing like this

 .
 ggroup by foo,blah
 order by dtml-sqlvar spam


don't use sqlvar... just put:

order by dtml-var spam


works for me. (o8


 thanks mark


Have a better one,
Curtis Maloney

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )