[Zope] Using sql to search in zope
Stuart 'Zen' Bishop
zen@cs.rmit.edu.au
Sat, 3 Jun 2000 09:59:18 +1000 (EST)
On Fri, 2 Jun 2000 wai@mahirnet.com wrote:
> I tried to build a search feature using sql in zope, this is what I normal
> do in sql to do a range search :
>
> select * from table1 where table1_id = %field1_value%
>
> But when I try it with zope, it will become
>
> select * from table1 where table1_id = %'value'%
The quoting is there to protect you (if value contains the SQL delimiter ';'
or whatever it is in Access, bad things can happen and might be a big
hairy security hole).
Try:
<dtml-let field1_value="'%' + field1_value + '%'">
select * from table1
where
<dtml-sqltest field1_value column=table1_id type=nb>
</dtml-let>
You might need an 'op=like' attribute to the sqltest tag (I don't know Access).
--
Stuart Bishop Work: zen@cs.rmit.edu.au
Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au
Computer Science, RMIT University