RE: Re: [Zope-dev] ZSQL using LIKE operator

2001-02-09 Thread Jon Franz 

sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between dtml-sqlvar and dtml-var sqlquote 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:

http://www.mysql.com/doc/G/e/General_security.html

See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
wrong...


PS: In order to increase the safety of ZSQLMethods, maybe the basic
dtml-var tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

 -Original Message-
 From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 09, 2001 7:01 AM
 To: 'Jon Franz'; '[EMAIL PROTECTED]'
 Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
 
 
 Got it. Making the change now. Thanks for keeping an eye on 
 this thread. 
 What about the sqltest suggestion on posted on this thread? 
 Or do sqltest
 and sqlvar handle DB calls in a similar fashion?
 Thanks
 
 -Original Message-
 From: Jon Franz [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 08, 2001 3:54 PM
 To: '[EMAIL PROTECTED]'
 Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
 
 
 No, this is bad!! Do NOT do this - it will allow Bad 
SNIP

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: Re: [Zope-dev] ZSQL using LIKE operator

2001-02-09 Thread Schmidt, Allen J. 

Not taken as being harsh from where I stand! The more we know...the better!
Thanks for the guidelines and the URL. It has been passed on to the group
that handles the MySQL on our server. Have not started using it for
Production, but will be soon.

From a recent post, I noticed that this topic might be better suited for the
normal Zope list. Would this be accurate? Comments welcome on accepted
topics. 

Thanks

Allen

-Original Message-
From: Jon Franz [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 10:18 AM
To: 'Schmidt, Allen J.'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator


sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between dtml-sqlvar and dtml-var sqlquote 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:

http://www.mysql.com/doc/G/e/General_security.html

See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
wrong...


PS: In order to increase the safety of ZSQLMethods, maybe the basic
dtml-var tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

 -Original Message-
 From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 09, 2001 7:01 AM
 To: 'Jon Franz'; '[EMAIL PROTECTED]'
 Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
 
 
 Got it. Making the change now. Thanks for keeping an eye on 
 this thread. 
 What about the sqltest suggestion on posted on this thread? 
 Or do sqltest
 and sqlvar handle DB calls in a similar fashion?
 Thanks
 
 -Original Message-
 From: Jon Franz [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 08, 2001 3:54 PM
 To: '[EMAIL PROTECTED]'
 Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
 
 
 No, this is bad!! Do NOT do this - it will allow Bad 
SNIP

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )