I don't see why it would be "dangerous." If the rowSelectStr is empty then all rows are selected. Otherwise, (and it is not shown above) the string of the list of table fields to compare for row selection is created programmatically from column definitions. At no time is user input directly used to generate the rowSelectStr or the colSelectStr (the keySegValues which come from the record object are first verified when the values are inserted into the record object - no invalid data is allowed to be inserted). I just have to remember not to include the "db." prefix in the rowSelectStr creation and to include the "db." prefix in the colSelectStr creation.
At least, that's my (current) understanding. -- Rb On Aug 17, 2:30 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > It is not a bug. > > db(query) > > query can be a DAL query or a SQL query (string). > > mind that what are you doing is dangerous unless you have a way to > restrict who can access that xmlrpc function to the administrator. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
