[Zope-DB] Re: How to import SQL in python script???

Martin Gebert Murphy@members.netsolution-net.de
Wed, 12 Feb 2003 18:51:03 +0100

eijgnit@netscape.net schrieb:
> Dear all,
> As a follow up to my earlier question on the above topic. Because the
> SQLStatement I need to query the database with depends on alot of
> variables (sometimes I even have to query another relation). I could
> use sqlgroup and sqltest to do the above.
> But here's another solution, create a ZSQLMethod with only one
> argument call say "sql", and in the contents just have "<dtml-var
> sql>". Effectively what this does is to query the database according
> to what the argument sql is (which of coz must be a valid sql
> statement).

But with this way, you have to make absolutely, *ABSOLUTELY* sure that noone is able to exploit the method by injecting harmful code. Say, somebody is calling it with 

myZSqlMethod(sql='delete from MYTABLE')

This is the reason why the use of dtml-sqlvar is recommanded; it provides a type specific quoting (attribute "type") to make sure harmful SQL statements within a parameter can't be executed.