+-------[ Oliver Bleutgen ]----------------------
| > Then change your Z SQL Method to look like;
| 
| > select * from Customers where
| > foofield=<dtml-sqlvar search type=string>
| > <dtml-if orderby>
| > ORDER BY <dtml-var orderby>
| > </dtml-if>
| 
| Hmm, I wouldn't do that, you're trusting the client here,
| imagine someone going to 
| 
| http://yourserver/staff?orderby=firstname%20;%20delete from Customers;

You always validate external input, especially in a web environment.
I didn't think it was necessary to spell that out.

-- 
Totally Holistic Enterprises Internet|  P:+61 7 3870 0066   | Andrew Milton
The Internet (Aust) Pty Ltd          |  F:+61 7 3870 4477   | 
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068    |[EMAIL PROTECTED]| 

_______________________________________________
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to