[Zope] dynamically created tablename in ZSQL
Fri, 5 Jul 2002 23:28:24 +0200
Roger Erens writes:
> Any advice with respect to the safety of using the dtml-var, i.e. could the
> formfield 'tablename' be fiddled with to contain something like 'employees;
> delete from employees'?
> Is there an alternative solution to get rid of the quotes in the
I would pass a code (e.g. "1", "2", ...) and
resolve the code into a table name inside the ZSQL with
a "_.test" call (see DTML reference).