[Zope] dtml-in SQL, results display

Thomas B. Passin tpassin@mitretek.org
Wed, 10 Apr 2002 09:31:48 -0400


[Alexander Batzios]
...
Where searchField is returned as searchField:tokens. So far so good. I want
to put % in front, and after every keyword. So I try something like:

FirstNameMI like <dtml-sqlvar expr='%'+sequence-item+'%' type="string">

However, because now I use an assignment operator for an expression, Zope
takes sequence-item as two separate things, sequence minus item. Is there a
way to work around this? I tried everything I could think of, but still the
same. I would like to avoid having to use a simple dtml-var because I read
in the docs that it's better for security this way (e.g. someone can't write
DELETE * FROM tableName in the query).

[Tom P]

Use _['sequence-item'], or %dtml-sequence-item;  (any DTML variable can be
referred to in this way, not just sequence-item).

You also want to use double quotes around the entire expression;

<dtml-var expr="'%'+_['sequence-item']+'%'" type="string">

Tom P