[Zope] Executing Z SQL Methods via a URL request

[Dieter Maurer]

Please do *NOT* send HTML mails into this list!

Nick McDowell writes:
 > I have a Z SQL method that requires an “id” value which it users to perform
 > a select statement.  I am trying to pass this “id” value via a URL, which
 > calls a DTML method who in turn calls the Z SQL Method.
When I remember right, someone introduced into Zope 2.1.6's Z SQL
methods that acquisition is stronger than explicitely passed
arguments (and arguments from REQUEST, this is your case).
One says, it was for security reasons.

I think, this is a big bug, and I will change it, whenever
I should see it.

If it is still in Zope 2.2, then you will have only 2 chances:

   1. rename you argument to something that is not
      acquired (as 'id' is).
      In your SQL, you can of cause use the column name
      as it is defined by the table - similar to the
      following:

	.... where id = <dtml-sqlvar renamed_id type=string> ....


   2. change the code in "Shared.DC.ZRDB.DA.__call__",
      as I would do.

      I did not yet work enough with Zope 2.2 to got
      hit by the bug (if it is still there).
      Therefore, I do not yet have a patch.



Dieter