[Zope] ZSQL security restriction with Zope 2-1-6 ?

Chris Withers chrisw@nipltd.com
Fri, 28 Apr 2000 12:11:44 +0100


Hi,

Can you PLEASE stop posting this same message to the list!

If it's not getting answered then you need to look at why it's not getting
answered rather than just posting the exact same message.

Looking in the archives, this is around the 4th or 5th time you've posted
exactly the same message.

cheers,

Chris

Francois-Regis CHALAOUX wrote:
> 
> Date:  04/27/2000  05:09 pm  (Thursday)
> From:  Francois-Regis CHALAOUX
> To:  INET:zope@zope.org
> Subject:  ZSQL security restriction with Zope 2-1-6 ?
> 
> Hi All,
> 
> Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!!
> 
> I create a little application to manage seminars. All the methods to consult
> these seminars work but all the method to upgrade, create, delete return now
> ERRORS. My DB is Gadfly.
> 
> Should I come back to 2.1.2 ? Should I change something in my code? Should I
> modify Zope-2.1.6?
> 
> Help, please.
> 
> FR
> 
> ===========
> Environment
> ===========
> Linux Suse-6.2
> Python 5.2
> Zope-2.1.6 upgrade from Zope-2.1.2 with patch
> Zope-2.1.x-to-2.1.6-linux2-x86.tgz
> Gadfly
> ===========
> 
> Bellow you can find the code of an example and the associated ERROR :
> 
> ==========================
> DTML Document saisies.html
> ==========================
> <FORM ACTION="insert_seminar_do" METHOD="POST">
> Blablabla ....
> </FORM>
> 
> ===============================
> DTML Document insert_seminar_do
> ===============================
> Blablabla ...
> <!--#call "insert_seminar(REQUEST)"-->
> Blablabla ...
> 
> =========================
> SQL Method insert_seminar
> =========================
> Arguments : titre type jour numero mois annee heure minute nomconf prenomconf
> titreconf adresseconf lieu nomhote prenomhote url
> 
> insert into seminar (id,
>                      titre,
>                      type,
>                      jour, numero,mois,annee,heure,minute,floatdate,
>                      nomconf, prenomconf, titreconf, adresseconf,
>                      lieu,
>                      nomhote, prenomhote,
>                      url)
> select max(id)+1,
> <!--#sqlvar titre type=string-->,
> <!--#sqlvar type type=string-->,
> <!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois
> type=int-->,
> <!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->,
> <!--#sqlvar minute type=string-->,
> <!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->,
> <!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->,
> <!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->,
> <!--#sqlvar lieu type=string-->,
> <!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->,
> <!--#sqlvar url type=string-->
>  from seminar
> 
> =============================
> tofltdate is an external method.
> =============================
> 
> import string
> import sys
> from DateTime import *
> 
> def tofltdate(numero,mois,annee):
>    datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'')
>    f = DateTime(datum)
>    return float(f)
> 
> ########################
> 
>  Error type:  NameError
>  Error value: REQUEST
>  -->
> </TD></TR></TABLE>
>         </TD>
>         </TR>
>         <TR>
>                 <TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2"
> WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150"
> HEIGHT="26" BORDER="0"></TD>
> 
>                 <TD ALIGN=CENTER>
>                 <HR NOSHADE SIZE="0">
>                 <p class="footlink" align="center">
>                 <A
> HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable
> Page</A>&nbsp;&nbsp;&nbsp;&nbsp;
>                 <A
> HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a>&nbsp;&nbsp;&nbsp;&nbsp;
>                 <A
> HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML
> Source</a>
>                 </p></TD>
>         </TR>
> </TABLE>
> 
> </BODY>
> </HTML>
> 
> <!--
> Traceback (innermost last):
>   File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in
> publish_module
>   File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in
> publish
>   File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in
> zpublisher_exception_hook
>     (Object: ElementWithAttributes)
>   File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in
> publish
>   File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in
> mapply
>     (Object: insert_seminar_do)
>   File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in
> call_object
>     (Object: insert_seminar_do)
>   File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in
> __call__
>     (Object: insert_seminar_do)
>   File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
> 502, in __call__
>     (Object: insert_seminar_do)
>   File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
> in eval
>     (Object: insert_seminar(REQUEST))
>     (Info: REQUEST)
>   File <string>, line 0, in ?
>   File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in
> __call__
>     (Object: insert_seminar)
>   File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line
> 502, in __call__
>     (Object: <string>)
>   File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335,
> in eval
>     (Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee']))
>     (Info: REQUEST)
>   File <string>, line 0, in ?
> NameError: (see above)
> 
> --  >
> 
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
> 
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
> 
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                !
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )