No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL query that could allow mischievous people to tamper with your Db and possibly hack your box (depending upon what DB you are using, how it is configured, what user it runs as, etc) This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to formats usable by your DB, including escaping of bad characters. instead, do This: SELECT * FROM table WHERE keywords LIKE <dtml-sqlvar "'%' + my_var + '%'" type=string> the expression inside the quotes will handle adding the %'s to the beginning and end of your string. Sorry about the correction, but this Can be a big security hazard... ~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry

Message: 9 Date: Thu, 08 Feb 2001 07:32:48 -0500 Subject: Re: [Zope-dev] ZSQL using LIKE operator From: Jens Vagelpohl <jens@digicool.com> To: "Schmidt, Allen J." <aschmidt@nv.cc.va.us>, <zope-dev@zope.org>

just write it out like:

SELECT * FROM table WHERE keywords LIKE '%<dtml-var name="my_var">%'

jens