12 Jul
2000
12 Jul
'00
3:02 p.m.
Hello, I'm writing a search query to a MySQL database. I want to keep people from screwing around with my database by running searches like "; delete from ... yada yada. So I should use <dtml-sqlvar>, right? But what if I want to use LIKE? If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then effectively I am saying: WHERE goo LIKE "%'somestring'%". In other words, it will match only the string with the single quotes. I hope this makes sense. Has anyone faced a similar problem? Thanks for any help --Aaron