[Zope] sql_quote in dtml-var in zsql-Methods

Jim Penny jpenny at universal-fasteners.com
Thu Aug 7 12:07:05 EDT 2003


On Thu, 7 Aug 2003 11:19:50 +0200
"Elena Schulz" <elena.schulz at gmx.net> wrote:

> Hi,
> 
> does anybody know the difference of <dtml-var myVar sql_quote> and
> <dtml-sqlvar myVar type=string>?
> Does sql_quote have any effects, cause I couldn't see any?

Yes, sqlqoute has effects.  Primarily, it will quote single quote (')
characters correctly.

Suppose table foo has column color, and you have a ZSQL method like:
select * from foo where color='<dtml-var myVar type=string>'.
Suppose myVar is set to:
white';delete from foo;select * from foo where color='white
Then, execution of this form deletes everything from the table, and
generates no error.

But:
select * from foo where color='<dtml-var myVar sql_quote>' will
generate:
select * from foo where color='white'';delete from foo;select * from foo
where color=''white'
and, due to correct quote handling, nothing will be deleted, and,
most likely, nothing will be selected.

Please, please, always either use sql_quote or <dtml-sqlvar ...
type=string> in your ZSQL methods, even if you are sure the input is
safe.  It costs very little, and keeps you from worry about how people
may use the method in the future.

Jim Penny

> 
> -- Elena
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 
> 





More information about the Zope mailing list