On Thu, 7 Aug 2003 11:19:50 +0200 "Elena Schulz" <elena.schulz@gmx.net> wrote:

Hi,

does anybody know the difference of <dtml-var myVar sql_quote> and <dtml-sqlvar myVar type=string>? Does sql_quote have any effects, cause I couldn't see any?

Yes, sqlqoute has effects. Primarily, it will quote single quote (') characters correctly. Suppose table foo has column color, and you have a ZSQL method like: select * from foo where color='<dtml-var myVar type=string>'. Suppose myVar is set to: white';delete from foo;select * from foo where color='white Then, execution of this form deletes everything from the table, and generates no error. But: select * from foo where color='<dtml-var myVar sql_quote>' will generate: select * from foo where color='white'';delete from foo;select * from foo where color=''white' and, due to correct quote handling, nothing will be deleted, and, most likely, nothing will be selected. Please, please, always either use sql_quote or <dtml-sqlvar ... type=string> in your ZSQL methods, even if you are sure the input is safe. It costs very little, and keeps you from worry about how people may use the method in the future. Jim Penny

-- Elena

_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )