[Zope] Dynamic ordering of DTML-IN?
Oliver Bleutgen
Oliver Bleutgen <myzope@gmx.net>
Tue, 23 Jan 2001 15:45:24 +0100
> Then change your Z SQL Method to look like;
> select * from Customers where
> foofield=<dtml-sqlvar search type=string>
> <dtml-if orderby>
> ORDER BY <dtml-var orderby>
> </dtml-if>
Hmm, I wouldn't do that, you're trusting the client here,
imagine someone going to
http://yourserver/staff?orderby=firstname%20;%20delete from Customers;
(sufficient dbuser rights assumed)
I would use staff?order_id=1 (2,3,...)
etc. and then set orderby via a dictionary (or some simple
dtml-ifs).
cheers,
oliver