RE: [Zope] dtml-sqlvar quote
It is not safe if you have malicious users. You will need to pass your through a filter. This will help. A better example is a user taking advantage of an insert method: insert into data values (, , ) where the user has found the Zsqlmethod by looking at http://yourzopehost/objectIds and calls it like this: http://yourzopehost/sqlADDUSER?value_3=randomvalue);SELECT%20*%20FROM%20secr etpasswordtable/ Fortunately, Zope responds with a "testing the sql method" form if you are authorized. Troy -Original Message- From: Mark Twiddy [mailto:[EMAIL PROTECTED]] Sent: Friday, October 20, 2000 3:22 AM To: [EMAIL PROTECTED] Subject: Re: [Zope] dtml-sqlvar quote Hi all thanks for the help. Just on that. Is it safe to do select * from data where like '% as search_term could contain '; drop table blah; ' or what ever. I thought by using you could use untrusted values. Thanks again Mark On Fri, 20 Oct 2000, Tony McDonald wrote: > > > >Hi all > > > >How can i pass a string to a sql method that won't be quoted. > > > >i.e so i can do somthing like this > > > >. > >group by foo,blah > >order by > > > > > >thanks mark > > > > don't quote it? > > ... > order by > > > I use this all the time for things like > > select * from data where like '%%' > > tone > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] dtml-sqlvar quote
Hi all thanks for the help. Just on that. Is it safe to do select * from data where like '% as search_term could contain '; drop table blah; ' or what ever. I thought by using you could use untrusted values. Thanks again Mark On Fri, 20 Oct 2000, Tony McDonald wrote: > > > >Hi all > > > >How can i pass a string to a sql method that won't be quoted. > > > >i.e so i can do somthing like this > > > >. > >group by foo,blah > >order by > > > > > >thanks mark > > > > don't quote it? > > ... > order by > > > I use this all the time for things like > > select * from data where like '%%' > > tone > > > ___ > Zope maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] dtml-sqlvar quote
> >Hi all > >How can i pass a string to a sql method that won't be quoted. > >i.e so i can do somthing like this > >. >group by foo,blah >order by > > >thanks mark > don't quote it? ... order by I use this all the time for things like select * from data where like '%%' tone ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] dtml-sqlvar quote
On Fri, 20 Oct 2000, Mark Twiddy wrote: > Hi all > > How can i pass a string to a sql method that won't be quoted. > > i.e so i can do somthing like this > > . > ggroup by foo,blah > order by > don't use sqlvar... just put: order by works for me. (o8 > > thanks mark > Have a better one, Curtis Maloney ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] dtml-sqlvar quote
Hi all How can i pass a string to a sql method that won't be quoted. i.e so i can do somthing like this . group by foo,blah order by thanks mark ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )