[Zope-DB] dynamic SQL
Fernando Martins
fmartins@hetnet.nl
Wed, 9 Apr 2003 13:10:25 +0200
Thanks for replying,
>
> It is quite easy. But you really, really, really don't want to do it.
>
> zsql method
> variable_sql
> parameter
> command
> body
> <dtml-var command>
>
It took me a while to understand what you mean with this list of items. So,
for the record, the idea is to create a zsql method called variable_sql with
a parameter called command and a body having only <dtml-var command>. The
zsql is called with a complete SQL statement from wherever you want.
> Now, what is wrong with this?
>
> Well, you have no security, whatsoever. Anyone who can access method
> variable_sql can do anything that they want to our database. Even if
> you somehow limit access to the method, you can't stop SQL injection.
> And you can't debug the SQL, since you have no idea of what will be
> executed.
>
Well, in my case is for an Intranet and it's essentially a prototype.
> Go to the trouble now. It will reduce your trouble later.
>
Appreciated,
Fernando
PS: thanks also to Michal.