Not taken as being harsh from where I stand! The more we know...the better!
Thanks for the guidelines and the URL. It has been passed on to the group
that handles the MySQL on our server. Have not started using it for
Production, but will be soon.
>From a recent post, I noticed that this topic might be better suited for the
normal Zope list. Would this be accurate? Comments welcome on accepted
From: Jon Franz [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 10:18 AM
To: 'Schmidt, Allen J.'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator
sqltest just creates the full string of the where clause segment
for the test using the same kind of 'safe' sql-string logic as
sqlvar: so you should be able to replace the value to test against
with any valid python expression, such as the one below where
the % operators are concatenated onto the variable holding the
value you want to test against. :)
As for the difference between <dtml-sqlvar> and <dtml-var sqlquote>
(in case anyone is confused), an sqlvar tag requires a
type value and will not only perform an sqlquote on the value
being inserted into the statement, but will do any/all type
conversion/stripping (letters from numeric values, etc) needed
based upon the requested type.
If anyone is concerned/puzzled by the security hazards I listed
below, here is a URL describing problems associated with bad data
used within queries and a mysql DB:
See the bullet point beginning with 'Do not trust any data entered by
Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it? (forced usage
of the safe form would break some existent code, possibly, but
would avoid confusion such as this in general - and thus be safer)
> -----Original Message-----
> From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; '[EMAIL PROTECTED]'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> Got it. Making the change now. Thanks for keeping an eye on
> this thread.
> What about the sqltest suggestion on posted on this thread?
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
>> -----Original Message-----
>> From: Jon Franz [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> To: '[EMAIL PROTECTED]'
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> No, this is bad!! Do NOT do this - it will allow Bad
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -