Anitha George wrote at 2003-7-23 07:08 +0000:
Someone please help me out with this:
I am passing a string in this format (215,216) from the python script to the Zsql method. The SQl query should have the following form: select * from employees where id in (215,216) but is as follows: select * from employees where id in '(215,216)' which does not give the required result.The id is of data type string/nb. It doesnt accept integer values.
"dtml-sqltest multiple" works as you expect only when the value is a sequence (list or tuple or something like this). For a string, it (correctly) behaves as you observe. You can use: ... id in <dtml-var YourParameter sql_quote> ... Be warned that the use of "dtml-var" poses a potential security risk. Most databases provide some way to enter several canned SQL commands, e.g. separated by ";". When you have such a DB and someone can control "YourParameter", he may pass (e.g.) "(123); delete from TABLE" and the rows in "TABLE" were gone. The "sql_quote" above should prevent this, but I am not sure that is will escape the ";" in the example. Dieter