13 Feb
2002
13 Feb
'02
5:55 p.m.
Thomas B. Passin writes:
.... select * from table where name like '%&dtml-searchphrase;%' Please do not forget "sql_quote" inside SQL strings. Otherwise, some malicious user may play havoc with your database (by closing the string, adding a very bad SQL command in which the string is reopened).
... Finally, if the searchphrase value might have quotes in it, make sure to use the sql quoting option (check the docs for the exact syntax). Do it, even when you think, there should be no quotes...
Dieter