Not taken as being harsh from where I stand! The more we know...the better!
Thanks for the guidelines and the URL. It has been passed on to the group
that handles the MySQL on our server. Have not started using it for
Production, but will be soon.

>From a recent post, I noticed that this topic might be better suited for the
normal Zope list. Would this be accurate? Comments welcome on accepted



-----Original Message-----
From: Jon Franz [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 10:18 AM
To: 'Schmidt, Allen J.'
Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator

sqltest just creates the full string of the where clause segment 
for the test using the same kind of 'safe' sql-string logic as 
sqlvar: so you should be able to replace the value to test against 
with any valid python expression, such as the one below where 
the % operators are concatenated onto the variable holding the 
value you want to test against. :)

As for the difference between <dtml-sqlvar> and <dtml-var sqlquote> 
(in case anyone is confused), an sqlvar tag requires a 
type value and will not only perform an sqlquote on the value 
being inserted into the statement, but will do any/all type 
conversion/stripping (letters from numeric values, etc) needed 
based upon the requested type.  

If anyone is concerned/puzzled by the security hazards I listed 
below, here is a URL describing problems associated with bad data 
used within queries and a mysql DB:

See the bullet point beginning with 'Do not trust any data entered by 
your users.'

Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something

PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it?  (forced usage
of the safe form would break some existent code, possibly, but 
would avoid confusion such as this in general - and thus be safer)

> -----Original Message-----
> From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; '[EMAIL PROTECTED]'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> Got it. Making the change now. Thanks for keeping an eye on 
> this thread. 
> What about the sqltest suggestion on posted on this thread? 
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
> Thanks
>> -----Original Message-----
>> From: Jon Franz [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> No, this is bad!! Do NOT do this - it will allow Bad 

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to