MySQL LIKE operator
Hello, I'm writing a search query to a MySQL database. I want to keep people from screwing around with my database by running searches like "; delete from ... yada yada. So I should use <dtml-sqlvar>, right? But what if I want to use LIKE? If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then effectively I am saying: WHERE goo LIKE "%'somestring'%". In other words, it will match only the string with the single quotes. I hope this makes sense. Has anyone faced a similar problem? Thanks for any help --Aaron
You should be able to use something like this (untested): <dtml-var bar sql_quote> That way you get the SQL quoting without the surrounding quotes. _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com
-----Original Message----- From: aaronw@c.ict.om.org [mailto:aaronw@c.ict.om.org] Sent: Wednesday, July 12, 2000 11:03 AM To: zope@zope.org Subject: [Zope] MySQL LIKE operator
Hello,
I'm writing a search query to a MySQL database. I want to keep people from screwing around with my database by running searches like "; delete from ... yada yada. So I should use <dtml-sqlvar>, right? But what if I want to use LIKE? If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then effectively I am saying: WHERE goo LIKE "%'somestring'%". In other words, it will match only the string with the single quotes. I hope this makes sense. Has anyone faced a similar problem? Thanks for any help
--Aaron
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-----Original Message----- From: aaronw@c.ict.om.org [mailto:aaronw@c.ict.om.org] Sent: Wednesday, July 12, 2000 11:03 AM To: zope@zope.org Subject: [Zope] MySQL LIKE operator
Hello,
I'm writing a search query to a MySQL database. I want to keep people from screwing around with my database by running searches like "; delete from ... yada yada. So I should use <dtml-sqlvar>, right? But what if I want to use LIKE? If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then effectively I am saying: WHERE goo LIKE "%'somestring'%". In other words, it will match only the string with the single quotes. I hope this makes sense. Has anyone faced a similar problem? Thanks for any help
--Aaron
Here's a sample of some larger scale SQL with just the thing your looking for in it. SELECT * FROM users <dtml-sqlgroup where> <dtml-sqltest user_name_exact column=user_name type=nb optional> <dtml-and> <dtml-if user_name> user_name LIKE <dtml-sqlvar "'%'+user_name+'%'" type=nb optional> </dtml-if> <dtml-and> <dtml-if user_firstname> user_firstname LIKE <dtml-sqlvar "'%'+user_firstname+'%'" type=nb optional> </dtml-if> <dtml-and> <dtml-if user_lastname> user_lastname LIKE <dtml-sqlvar "'%'+user_lastname+'%'" type=nb optional> </dtml-if> <dtml-and> <dtml-if user_age> user_age LIKE <dtml-sqlvar user_age type=nb optional> </dtml-if> <dtml-and> <dtml-if user_town> user_town LIKE <dtml-sqlvar "'%'+user_town+'%'" type=nb optional> </dtml-if> <dtml-and> <dtml-if user_email> user_email LIKE <dtml-sqlvar "'%'+user_email+'%'" type=nb optional> </dtml-if> </dtml-sqlgroup> ORDER BY user_name Hope this helps Phill
participants (3)
-
Aaron Williamson -
Phill Hugo -
Ron Bickers