You should be able to use something like this (untested): <dtml-var bar sql_quote> That way you get the SQL quoting without the surrounding quotes. _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com
-----Original Message----- From: aaronw@c.ict.om.org [mailto:aaronw@c.ict.om.org] Sent: Wednesday, July 12, 2000 11:03 AM To: zope@zope.org Subject: [Zope] MySQL LIKE operator
Hello,
I'm writing a search query to a MySQL database. I want to keep people from screwing around with my database by running searches like "; delete from ... yada yada. So I should use <dtml-sqlvar>, right? But what if I want to use LIKE? If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then effectively I am saying: WHERE goo LIKE "%'somestring'%". In other words, it will match only the string with the single quotes. I hope this makes sense. Has anyone faced a similar problem? Thanks for any help
--Aaron
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )