On Tue, Aug 01, 2006 at 02:50:19PM -0400, Muk Yan wrote:
> Dear Coveted Braintrust,
> I was wondering if anyone had any experience with MySQL queries in Python in
> Zope:

People have already answered your main question, but:

> SELECT name
> FROM person
> WHERE ID = <dtml-var "REQUEST.SESSION.get('person_id')">

Never ever pass raw user input to a sql query!  If you're not familiar
with the phrase "sql injection"...  google it :)

The zope book relational databases chapter explains how to use
<dtml-sqlvar> which is one way to avoid the danger.  


Paul Winkler
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to