[Zope] dynamically created tablename in ZSQL

Dieter Maurer dieter@handshake.de
Fri, 5 Jul 2002 23:28:24 +0200

Roger Erens writes:
 > Any advice with respect to the safety of using the dtml-var, i.e. could the
 > formfield 'tablename' be fiddled with to contain something like 'employees;
 > delete from employees'?
 > Is there an alternative solution to get rid of the quotes in the
 > dtml-sqlvar?
I would pass a code (e.g. "1", "2", ...) and
resolve the code into a table name inside the ZSQL with
a "_.test" call (see DTML reference).