On 3/18/07, Gregor Horvath <[EMAIL PROTECTED]> wrote:
> This seems to work:
>
> >>> Tour.select("tour.id = 2; delete from tour").count()
>
> After that, table tour is empty.
> Is there any patch or fix for that available?
>
> I think a select should only execute select sql's.
In principle you're probably right. The catch is that the form of
select you're using allows you to specify your own SQL where clause,
so protecting against this would require parsing the where clause and
making sure it confirms to some set of rules. This means adding a SQL
where clause parser to SQLObject and living with the overhead of
having the where clause parsed twice (once by SQLObject and once by
the database).
In my mind the correct solutions are:
a) Make sure your where clause isn't dodgy when you construct it by escaping
any dangerous strings properly.
b) Use SQLObject to construct your where clauses for you, e.g.
>>> Tour.select(Tour.q.id == 2).count()
Schiavo
Simon
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
sqlobject-discuss mailing list
sqlobject-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
