Bad: Re: [Zope-dev] ZSQL using LIKE operator
Jon Franz
jfranz@one.net
Thu, 8 Feb 2001 15:53:43 -0500
No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL
query that could allow mischievous people to tamper with your Db and
possibly hack your box
(depending upon what DB you are using, how it is configured, what user it
runs as, etc)
This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to
formats usable by
your DB, including escaping of bad characters.
instead, do This:
SELECT * FROM table WHERE keywords LIKE <dtml-sqlvar "'%' + my_var + '%'"
type=string>
the expression inside the quotes will handle adding the %'s to the beginning
and end of your string.
Sorry about the correction, but this Can be a big security hazard...
~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry
>Message: 9
>Date: Thu, 08 Feb 2001 07:32:48 -0500
>Subject: Re: [Zope-dev] ZSQL using LIKE operator
>From: Jens Vagelpohl <jens@digicool.com>
>To: "Schmidt, Allen J." <aschmidt@nv.cc.va.us>, <zope-dev@zope.org>
>
>just write it out like:
>
>SELECT * FROM table WHERE keywords LIKE '%<dtml-var name="my_var">%'
>
>jens