[Zope] usage of dtml-sqltest tag in Zsql method

Dieter Maurer dieter@handshake.de
Wed, 23 Jul 2003 20:40:11 +0200


Anitha George wrote at 2003-7-23 07:08 +0000:
 >     Someone please help me out with this:
 > 
 > I am passing a string in this format (215,216) from the python script to
 > the Zsql method.
 > The SQl query should have the following form:
 >     select * from employees where id in (215,216)
 > but is as follows:
 >     select * from employees where id in '(215,216)' which does not give the 
 > required result.The id is of data type string/nb. It doesnt accept integer 
 > values.

"dtml-sqltest multiple" works as you expect only when the value is a sequence
(list or tuple or something like this). For a string, it (correctly)
behaves as you observe.

You can use:

    ... id in <dtml-var YourParameter sql_quote> ...


Be warned that the use of "dtml-var" poses a potential security
risk. Most databases provide some way to enter several canned
SQL commands, e.g. separated by ";".
When you have such a DB and someone can control "YourParameter",
he may pass (e.g.) "(123); delete from TABLE" and the rows
in "TABLE" were gone.
The "sql_quote" above should prevent this, but I am not sure
that is will escape the ";" in the example.


Dieter