[Zope] dtml-in SQL, results display
Thomas B. Passin
tpassin@mitretek.org
Wed, 10 Apr 2002 09:31:48 -0400
[Alexander Batzios]
...
Where searchField is returned as searchField:tokens. So far so good. I want
to put % in front, and after every keyword. So I try something like:
FirstNameMI like <dtml-sqlvar expr='%'+sequence-item+'%' type="string">
However, because now I use an assignment operator for an expression, Zope
takes sequence-item as two separate things, sequence minus item. Is there a
way to work around this? I tried everything I could think of, but still the
same. I would like to avoid having to use a simple dtml-var because I read
in the docs that it's better for security this way (e.g. someone can't write
DELETE * FROM tableName in the query).
[Tom P]
Use _['sequence-item'], or %dtml-sequence-item; (any DTML variable can be
referred to in this way, not just sequence-item).
You also want to use double quotes around the entire expression;
<dtml-var expr="'%'+_['sequence-item']+'%'" type="string">
Tom P