sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between <dtml-sqlvar> and <dtml-var sqlquote> 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:


See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something

PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

> -----Original Message-----
> From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; '[EMAIL PROTECTED]'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> Got it. Making the change now. Thanks for keeping an eye on 
> this thread. 
> What about the sqltest suggestion on posted on this thread? 
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
> Thanks
>> -----Original Message-----
>> From: Jon Franz [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> No, this is bad!! Do NOT do this - it will allow Bad 

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to