Not taken as being harsh from where I stand! The more we know...the better! Thanks for the guidelines and the URL. It has been passed on to the group that handles the MySQL on our server. Have not started using it for Production, but will be soon.

From a recent post, I noticed that this topic might be better suited for the normal Zope list. Would this be accurate? Comments welcome on accepted topics.

Thanks Allen -----Original Message----- From: Jon Franz [mailto:jfranz@one.net] Sent: Friday, February 09, 2001 10:18 AM To: 'Schmidt, Allen J.' Cc: 'zope-dev@zope.org' Subject: RE: Re: [Zope-dev] ZSQL using LIKE operator sqltest just creates the full string of the where clause segment for the test using the same kind of 'safe' sql-string logic as sqlvar: so you should be able to replace the value to test against with any valid python expression, such as the one below where the % operators are concatenated onto the variable holding the value you want to test against. :) As for the difference between <dtml-sqlvar> and <dtml-var sqlquote> (in case anyone is confused), an sqlvar tag requires a type value and will not only perform an sqlquote on the value being inserted into the statement, but will do any/all type conversion/stripping (letters from numeric values, etc) needed based upon the requested type. If anyone is concerned/puzzled by the security hazards I listed below, here is a URL describing problems associated with bad data used within queries and a mysql DB: http://www.mysql.com/doc/G/e/General_security.html See the bullet point beginning with 'Do not trust any data entered by your users.' Sorry if I seemed harsh in my original post, but security is my bread and butter, so I may tend to be Loud when I see something wrong... PS: In order to increase the safety of ZSQLMethods, maybe the basic <dtml-var> tag should be made illegal inside it? (forced usage of the safe form would break some existent code, possibly, but would avoid confusion such as this in general - and thus be safer)

-----Original Message----- From: Schmidt, Allen J. [mailto:aschmidt@nv.cc.va.us] Sent: Friday, February 09, 2001 7:01 AM To: 'Jon Franz'; 'zope-dev@zope.org' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator

Got it. Making the change now. Thanks for keeping an eye on this thread. What about the sqltest suggestion on posted on this thread? Or do sqltest and sqlvar handle DB calls in a similar fashion? Thanks

...

-----Original Message----- From: Jon Franz [mailto:jfranz@one.net] Sent: Thursday, February 08, 2001 3:54 PM To: 'zope-dev@zope.org' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator

No, this is bad!! Do NOT do this - it will allow Bad <<SNIP>