On Friday 24 August 2001 05:03, you wrote:
Hello again. I´m at work now and I´ve tried some codes. Sorry again, I´m spanish and my english is quite bad. You english is as good as any on this list. Don't be so hard on yourself. No one can hear you accent in cyberspace <;-D
does select from Departments where name='<dtml-var name sql_quote>' work?
OK! It works successfully! And it seems to be a good solution. Because:
Yes, it works for me as well...though I did something a little different: I simply did this: '<dtml-var name sql_quote>' as part of my code.
"<< sql_quote Converts single quotes to pairs of single quotes. This is needed to safely include values in SQL strings. >>". From Zope Help System, DTML Reference, var.
I'm glad somebody found this. I wouldn't have thought to look there...
But, Why doesn´t <dtml-sqlvar name type=string> work?. I think everyone of us want to know. You got that right! What a puzzle....
This is not suitable for production code, due to security reasons. does select from Departments where name='<dtml-var name>' work? Yes, it works too. But we have the security problem.
So I guess that name='<dtml-var name sql_quote>' is secure, but name='<dtml-var name>' is not. So far, so good. I also tried out the psycopg (as in crazy? What's up with that? :-) db adapter that Tom Jenkins suggested at http://initd.org/Software/psycopg/. It works just fine with everything the "original" way. Thanks for the help everyone... Russell