Hi all How can i pass a string to a sql method that won't be quoted. i.e so i can do somthing like this ..... group by foo,blah order by <dtml-sqlvar spam> thanks mark
On Fri, 20 Oct 2000, Mark Twiddy wrote:
Hi all
How can i pass a string to a sql method that won't be quoted.
i.e so i can do somthing like this
..... ggroup by foo,blah order by <dtml-sqlvar spam>
don't use sqlvar... just put: order by <dtml-var spam> works for me. (o8
thanks mark
Have a better one, Curtis Maloney
Hi all
How can i pass a string to a sql method that won't be quoted.
i.e so i can do somthing like this
..... group by foo,blah order by <dtml-sqlvar spam>
thanks mark
don't quote it? ... order by <dtml-var spam> I use this all the time for things like select * from data where <dtml-var search_field> like '%<dtml-var search_term>%' tone
Hi all thanks for the help. Just on that. Is it safe to do select * from data where <dtml-var search_field> like '%<dtml-var search_term> as search_term could contain '; drop table blah; ' or what ever. I thought by using <dtml-sqlvar > you could use untrusted values. Thanks again Mark On Fri, 20 Oct 2000, Tony McDonald wrote:
Hi all
How can i pass a string to a sql method that won't be quoted.
i.e so i can do somthing like this
..... group by foo,blah order by <dtml-sqlvar spam>
thanks mark
don't quote it?
... order by <dtml-var spam>
I use this all the time for things like
select * from data where <dtml-var search_field> like '%<dtml-var search_term>%'
tone
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Curtis Maloney -
Mark Twiddy -
Tony McDonald