[Zope] dtml-sqlvar quote
Mark Twiddy
vtwiddy@senet.com.au
Fri, 20 Oct 2000 17:51:32 +0930 (CST)
Hi all thanks for the help.
Just on that. Is it safe to do
select * from data where <dtml-var
search_field> like '%<dtml-var search_term>
as search_term could contain '; drop table blah; ' or what ever.
I thought by using <dtml-sqlvar > you could use untrusted values.
Thanks again
Mark
On Fri, 20 Oct 2000, Tony McDonald wrote:
> >
> >Hi all
> >
> >How can i pass a string to a sql method that won't be quoted.
> >
> >i.e so i can do somthing like this
> >
> >.....
> >group by foo,blah
> >order by <dtml-sqlvar spam>
> >
> >
> >thanks mark
> >
>
> don't quote it?
>
> ...
> order by <dtml-var spam>
>
>
> I use this all the time for things like
>
> select * from data where <dtml-var search_field> like '%<dtml-var search_term>%'
>
> tone
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>