+-------[ Oliver Bleutgen ]---------------------- | > Then change your Z SQL Method to look like; | | > select * from Customers where | > foofield=<dtml-sqlvar search type=string> | > <dtml-if orderby> | > ORDER BY <dtml-var orderby> | > </dtml-if> | | Hmm, I wouldn't do that, you're trusting the client here, | imagine someone going to | | http://yourserver/staff?orderby=firstname%20;%20delete from Customers; You always validate external input, especially in a web environment. I didn't think it was necessary to spell that out. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|