Got it. Making the change now. Thanks for keeping an eye on this thread. What about the sqltest suggestion on posted on this thread? Or do sqltest and sqlvar handle DB calls in a similar fashion? Thanks -----Original Message----- From: Jon Franz [mailto:jfranz@one.net] Sent: Thursday, February 08, 2001 3:54 PM To: 'zope-dev@zope.org' Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL query that could allow mischievous people to tamper with your Db and possibly hack your box (depending upon what DB you are using, how it is configured, what user it runs as, etc) This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to formats usable by your DB, including escaping of bad characters. instead, do This: SELECT * FROM table WHERE keywords LIKE <dtml-sqlvar "'%' + my_var + '%'" type=string> the expression inside the quotes will handle adding the %'s to the beginning and end of your string. Sorry about the correction, but this Can be a big security hazard... ~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry

Message: 9 Date: Thu, 08 Feb 2001 07:32:48 -0500 Subject: Re: [Zope-dev] ZSQL using LIKE operator From: Jens Vagelpohl <jens@digicool.com> To: "Schmidt, Allen J." <aschmidt@nv.cc.va.us>, <zope-dev@zope.org>

just write it out like:

SELECT * FROM table WHERE keywords LIKE '%<dtml-var name="my_var">%'

jens

_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )