[Zope] MySQL LIKE operator
Ron Bickers
rbickers@logicetc.com
Wed, 12 Jul 2000 15:10:57 -0400
You should be able to use something like this (untested):
<dtml-var bar sql_quote>
That way you get the SQL quoting without the surrounding quotes.
_______________________
Ron Bickers
Logic Etc, Inc.
rbickers@logicetc.com
> -----Original Message-----
> From: aaronw@c.ict.om.org [mailto:aaronw@c.ict.om.org]
> Sent: Wednesday, July 12, 2000 11:03 AM
> To: zope@zope.org
> Subject: [Zope] MySQL LIKE operator
>
>
> Hello,
>
> I'm writing a search query to a MySQL database. I want to keep
> people from screwing around with my database by running searches like ";
> delete from ... yada yada. So I should use <dtml-sqlvar>, right? But
> what if I want to use LIKE?
> If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then
> effectively I am saying: WHERE goo LIKE "%'somestring'%". In other
> words, it will match only the string with the single quotes. I hope
> this makes sense. Has anyone faced a similar problem?
> Thanks for any help
>
> --Aaron
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
>