[Zope] Zope/PostgreSQL/PoPy. Solution v0.0.1. Author: Jim Penny

Antonio Carrasco antoniojezu@hotmail.com
Fri, 24 Aug 2001 11:03:15 +0200 

Hello again. I´m at work now and I´ve tried some codes. Sorry again, I´m
spanish and my english is quite bad.


----- Original Message -----
From: "Jim Penny" <jpenny@universal-fasteners.com>
To: "Antonio Carrasco" <antoniojezu@hotmail.com>
Sent: Thursday, August 23, 2001 11:59 PM
Subject: Re: [Zope] Zope/PostgreSQL/PoPy


> On Wed, Aug 22, 2001 at 11:50:05PM +0200, Antonio Carrasco wrote:
> > Ok, Jim, Let?s go again...
> >
> > > select from Departments where name=<dtml-sqlvar name type=string>
> > I tried it.
>
>
> > >
> > > Also,
> > > does
> > > select from Departments where name='<dtml-var name sql_quote>'
> > > work?

OK! It works successfully! And it seems to be a good solution. Because:
"<<    sql_quote
    Converts single quotes to pairs of single quotes. This is needed to
safely include values in SQL strings. >>". From Zope Help System, DTML
Reference, var.

But, Why doesn´t <dtml-sqlvar name type=string> work?. I think everyone of
us want to know.

>
> Now just a cotton picking minute.  The form just above does not
> reference string at all.  I don't see how it can be failing on
> a string error message.
>
> This is not suitable for production code, due to security reasons.
> does
> select from Departments where name='<dtml-var name>'
> work?

Yes, it works too. But we have the security problem.
"<<In addition to avoiding errors, SQL quoting is important for security.
Suppose you had a query that makes a

select:

select * from employees

where emp_id=<dtml-var emp_id>

This query is unsafe since someone could slip SQL code into your query by
entering something like 12; drop

table employees as an emp_id. To avoid this problem you need to make sure
that your variables are properly

quoted.>>" From ZopeBook. Chapter 10: Relational Database Connectivity,
Dinamic SQL queries, Inserting arguments with sql-var.

Anyway. <dtml-var name sql_quote> doesn´t resolve our problem because:
"<<
SELECT * FROM Departments
<dtml-sqlgroup where>
 <dtml-sqltest id op=eq type=int optional>
<dtml-and>
 <dtml-if nombre>
  nombre='<dtml-var name sql_quote>'
 </dtml-if>
</dtml-sqlgroup>
>>".From my code.
We have to use dtml-if in all our multiple arguments queries with strings.
Or is there another way to do it?

>
> (Make sure punctuation is exactly as shown.)
>
> Jim
>
> >
> > I have tried it.
> > And I have tried another ways. But nothing. I have been today two hours
> > making and thinking different ways. My last try is find someone who can
make
> > the query without problems in this list. Farrell seems to be. But in
RedHat.
> > Tomorrow I?m going to write and specifie all the products version data
and
> > OS used(It?s Linux, but I can?t remember now more). Thanks again. Jim
> >
> > Antonio Carrasco
> >
>
>
>

Thanks a lot, Jim and others. I wish I help all you someday.

Antonio Carrasco