Reinoud van Leeuwen writes: > I does not seem to be very safe to use a construct like > > select record > from table > where field like "%<dtml-var string_from_form>" Use '<dtml-var string_from_form sql_quote>'. Dieter